Theory Projection
theory Projection
imports Main
begin
definition projection:: "'e list ⇒ 'e set ⇒ 'e list" (infixl "↿" 100)
where
"l ↿ E ≡ filter (λx . x ∈ E) l"
lemma projection_on_union:
"l ↿ Y = [] ⟹ l ↿ (X ∪ Y) = l ↿ X"
proof (induct l)
case Nil show ?case by (simp add: projection_def)
next
case (Cons a b) show ?case
proof (cases "a ∈ Y")
case True from Cons show "a ∈ Y ⟹ (a # b) ↿ (X ∪ Y) = (a # b) ↿ X"
by (simp add: projection_def)
next
case False from Cons show "a ∉ Y ⟹ (a # b) ↿ (X ∪ Y) = (a # b) ↿ X"
by (simp add: projection_def)
qed
qed
lemma projection_on_empty_trace: "[] ↿ X =[]" by (simp add: projection_def)
lemma projection_to_emptyset_is_empty_trace: "l ↿{} = []" by (simp add: projection_def)
lemma projection_idempotent: "l ↿ X= (l ↿X) ↿X" by (simp add: projection_def)
lemma projection_empty_implies_absence_of_events: "l ↿ X = [] ⟹ X ∩ (set l) = {}"
by (metis empty_set inter_set_filter projection_def)
lemma disjoint_projection: "X ∩ Y = {} ⟹ (l ↿ X) ↿ Y = []"
proof -
assume X_Y_disjoint: "X ∩ Y = {}"
show "(l ↿ X) ↿ Y = []" unfolding projection_def
proof (induct l)
case Nil show ?case by simp
next
case (Cons x xs) show ?case
proof (cases "x ∈ X")
case True
with X_Y_disjoint have "x ∉ Y" by auto
thus "[x←[x←x # xs . x ∈ X] . x ∈ Y] = []" using Cons.hyps by auto
next
case False show "[x←[x←x # xs . x ∈ X] . x ∈ Y] = []" using Cons.hyps False by auto
qed
qed
qed
lemma projection_concatenation_commute:
"(l1 @ l2) ↿ X = (l1 ↿ X) @ (l2 ↿ X)"
by (unfold projection_def, auto)
lemma projection_subset_eq_from_superset_eq:
"((xs ↿ (X ∪ Y)) = (ys ↿ (X ∪ Y))) ⟹ ((xs ↿ X) = (ys ↿ X))"
(is "(?L1 = ?L2) ⟹ (?L3 = ?L4)")
proof -
assume prem: "?L1 = ?L2"
have "?L1 ↿ X = ?L3 ∧ ?L2 ↿ X = ?L4"
proof -
have "⋀ a. ((a ∈ X ∨ a ∈ Y) ∧ a ∈ X) = (a ∈ X)"
by auto
thus ?thesis
by (simp add: projection_def)
qed
with prem show ?thesis
by auto
qed
lemma list_subset_iff_projection_neutral: "(set l ⊆ X) = ((l ↿ X) = l)"
(is "?A = ?B")
proof -
have "?A ⟹ ?B"
proof -
assume "?A"
hence "⋀x. x ∈ (set l) ⟹ x ∈ X"
by auto
thus ?thesis
by (simp add: projection_def)
qed
moreover
have "?B ⟹ ?A"
proof -
assume "?B"
hence "(set (l ↿ X)) = set l"
by (simp add: projection_def)
thus ?thesis
by (simp add: projection_def, auto)
qed
ultimately show ?thesis ..
qed
lemma projection_split_last: "Suc n = length (τ ↿ X) ⟹
∃ β x α. (x ∈ X ∧ τ = β @ [x] @ α ∧ α ↿ X = [] ∧ n = length ((β @ α) ↿ X))"
proof -
assume Suc_n_is_len_τX: "Suc n = length (τ ↿ X)"
let ?L = "τ ↿ X"
let ?RL = "filter (λx . x ∈ X) (rev τ)"
have "Suc n = length ?RL"
proof -
have "rev ?L = ?RL"
by (simp add: projection_def, rule rev_filter)
hence "rev (rev ?L) = rev ?RL" ..
hence "?L = rev ?RL"
by auto
with Suc_n_is_len_τX show ?thesis
by auto
qed
with Suc_length_conv[of n ?RL] obtain x xs
where "?RL = x # xs"
by auto
hence "x # xs = ?RL"
by auto
from Cons_eq_filterD[OF this] obtain revα revβ
where "(rev τ) = revα @ x # revβ"
and revα_no_x: "∀a ∈ set revα. a ∉ X"
and x_in_X: "x ∈ X"
by auto
hence "rev (rev τ) = rev (revα @ x # revβ)"
by auto
hence "τ = (rev revβ) @ [x] @ (rev revα)"
by auto
then obtain β α
where τ_is_βxα: "τ = β @ [x] @ α"
and α_is_revrevα: "α = (rev revα)"
and β_is_revrevβ: "β = (rev revβ)"
by auto
hence α_no_x: "α ↿ X = []"
proof -
from α_is_revrevα revα_no_x have "∀a ∈ set α. a ∉ X"
by auto
thus ?thesis
by (simp add: projection_def)
qed
have "n = length ((β @ α) ↿ X)"
proof -
from α_no_x have αX_zero_len: "length (α ↿ X) = 0"
by auto
from x_in_X have xX_one_len: "length ([x] ↿ X) = 1"
by (simp add: projection_def)
from τ_is_βxα have "length ?L = length (β ↿ X) + length ([x] ↿ X) + length (α ↿ X)"
by (simp add: projection_def)
with αX_zero_len have "length ?L = length (β ↿ X) + length ([x] ↿ X)"
by auto
with xX_one_len Suc_n_is_len_τX have "n = length (β ↿ X)"
by auto
with αX_zero_len show ?thesis
by (simp add: projection_def)
qed
with x_in_X τ_is_βxα α_no_x show ?thesis
by auto
qed
lemma projection_rev_commute:
"rev (l ↿ X) = (rev l) ↿ X"
by (induct l, simp add: projection_def, simp add: projection_def)
lemma projection_split_first: "⟦ (τ ↿ X) = x # xs ⟧ ⟹ ∃ α β. (τ = α @ [x] @ β ∧ α ↿ X = [])"
proof -
assume τX_is_x_xs: "(τ ↿ X) = x # xs"
hence "0 ≠ length (τ ↿ X)"
by auto
hence "0 ≠ length (rev (τ ↿ X))"
by auto
hence "0 ≠ length ((rev τ) ↿ X)"
by (simp add: projection_rev_commute)
then obtain n where "Suc n = length ((rev τ) ↿ X)"
by (auto, metis Suc_pred length_greater_0_conv that)
from projection_split_last[OF this] obtain β' x' α'
where x'_in_X: "x' ∈ X"
and revτ_is_β'x'α': "rev τ = β' @ [x'] @ α'"
and α'X_empty: "α' ↿ X = []"
by auto
from revτ_is_β'x'α' have "rev (rev τ) = rev (β' @ [x'] @ α')" ..
hence τ_is_revα'_x'_revβ':"τ = rev α' @ [x'] @ rev β'"
by auto
moreover
from α'X_empty have revα'X_empty: "rev α' ↿ X = []"
by (metis projection_rev_commute rev_is_Nil_conv)
moreover
note x'_in_X
ultimately have "(τ ↿ X) = x' # ((rev β') ↿ X)"
by (simp only: projection_concatenation_commute projection_def, auto)
with τX_is_x_xs have "x = x'"
by auto
with τ_is_revα'_x'_revβ' have τ_is_revα'_x_revβ': "τ = rev α' @ [x] @ rev β'"
by auto
with revα'X_empty show ?thesis
by auto
qed
lemma projection_split_first_with_suffix:
"⟦ (τ ↿ X) = x # xs ⟧ ⟹ ∃ α β. (τ = α @ [x] @ β ∧ α ↿ X = [] ∧ β ↿ X = xs)"
proof -
assume tau_proj_X: "(τ ↿ X) = x # xs"
show ?thesis
proof -
from tau_proj_X have x_in_X: "x ∈ X"
by (metis IntE inter_set_filter list.set_intros(1) projection_def)
from tau_proj_X have "∃ α β. τ = α @ [x] @ β ∧ α ↿ X = []"
using projection_split_first by auto
then obtain α β where tau_split: "τ = α @ [x] @ β"
and X_empty_prefix:"α ↿ X = []"
by auto
from tau_split tau_proj_X have "(α @ [x] @ β) ↿ X =x # xs"
by auto
with X_empty_prefix have "([x] @ β) ↿ X =x # xs"
by (simp add: projection_concatenation_commute)
hence "(x # β) ↿ X =x # xs"
by auto
with x_in_X have "β ↿ X = xs"
unfolding projection_def by simp
with tau_split X_empty_prefix show ?thesis
by auto
qed
qed
lemma projection_split_arbitrary_element:
"⟦τ ↿ X = (α @ [x] @ β) ↿ X; x ∈ X ⟧
⟹ ∃ α' β'. (τ = α' @ [x] @ β' ∧ α' ↿ X = α ↿ X ∧ β' ↿ X = β ↿ X)"
proof -
assume "τ ↿ X = (α @ [x] @ β) ↿ X"
and " x ∈ X"
{
fix n
have "⟦τ ↿ X = (α @ [x] @ β) ↿ X; x ∈ X; n = length(α↿X) ⟧
⟹ ∃ α' β'. (τ = α' @ [x] @ β' ∧ α' ↿ X = α ↿ X ∧ β' ↿ X = β ↿ X)"
proof (induct n arbitrary: τ α )
case 0
hence "α↿X = []"
unfolding projection_def by simp
with "0.prems"(1) "0.prems"(2) have "τ↿X = x # β↿X"
unfolding projection_def by simp
with ‹α↿X = []› show ?case
using projection_split_first_with_suffix by fastforce
next
case (Suc n)
from "Suc.prems"(1) have "τ↿X=α↿X @ ([x] @ β) ↿X"
using projection_concatenation_commute by auto
from "Suc.prems"(3) obtain x' xs' where "α ↿X= x' #xs'"
and "x' ∈ X"
by (metis filter_eq_ConsD length_Suc_conv projection_def)
then obtain a⇩1 a⇩2 where "α = a⇩1 @ [x'] @ a⇩2"
and "a⇩1↿X = []"
and "a⇩2↿X = xs'"
using projection_split_first_with_suffix by metis
with ‹x' ∈ X› "Suc.prems"(1) have "τ↿X= x' # (a⇩2 @ [x] @ β) ↿X"
unfolding projection_def by simp
then obtain t⇩1 t⇩2 where "τ= t⇩1 @ [x'] @ t⇩2"
and "t⇩1↿X = []"
and "t⇩2↿X = (a⇩2 @ [x] @ β) ↿X"
using projection_split_first_with_suffix by metis
from Suc.prems(3) ‹α ↿X= x' # xs'› ‹α = a⇩1 @ [x'] @ a⇩2› ‹a⇩1↿X = []› ‹a⇩2↿X = xs'›
have "n=length(a⇩2↿X)"
by auto
with "Suc.hyps"(1) "Suc.prems"(2) ‹t⇩2↿X = (a⇩2 @ [x] @ β) ↿X›
obtain t⇩2' t⇩3' where "t⇩2=t⇩2' @ [x] @ t⇩3'"
and "t⇩2'↿X = a⇩2↿X"
and "t⇩3'↿X = β↿X"
using projection_concatenation_commute by blast
let ?α'="t⇩1 @ [x'] @ t⇩2'" and ?β'="t⇩3'"
from ‹τ= t⇩1 @ [x'] @ t⇩2› ‹t⇩2=t⇩2' @ [x] @ t⇩3'› have "τ=?α'@[x]@?β'"
by auto
moreover
from ‹α ↿X= x' # xs'› ‹t⇩1↿X = []› ‹x' ∈ X› ‹t⇩2'↿X = a⇩2↿X› ‹a⇩2↿X = xs'›
have "?α'↿X = α↿X"
using projection_concatenation_commute unfolding projection_def by simp
ultimately
show ?case using ‹t⇩3'↿X = β↿X›
by blast
qed
}
with ‹τ ↿ X = (α @ [x] @ β) ↿ X› ‹ x ∈ X› show ?thesis
by simp
qed
lemma projection_on_intersection: "l ↿ X = [] ⟹ l ↿ (X ∩ Y) = []"
(is "?L1 = [] ⟹ ?L2 = []")
proof -
assume "?L1 = []"
hence "set ?L1 = {}"
by simp
moreover
have "set ?L2 ⊆ set ?L1"
by (simp add: projection_def, auto)
ultimately have "set ?L2 = {}"
by auto
thus ?thesis
by auto
qed
lemma projection_on_subset: "⟦ Y ⊆ X; l ↿ X = [] ⟧ ⟹ l ↿ Y = []"
proof -
assume subset: "Y ⊆ X"
assume proj_empty: "l ↿ X = []"
hence "l ↿ (X ∩ Y) = []"
by (rule projection_on_intersection)
moreover
from subset have "X ∩ Y = Y"
by auto
ultimately show ?thesis
by auto
qed
lemma projection_on_subset2: "⟦ set l ⊆ L; l ↿ X' = []; X ∩ L ⊆ X' ⟧ ⟹ l ↿ X = []"
proof -
assume setl_subset_L: "set l ⊆ L"
assume l_no_X': "l ↿ X' = []"
assume X_inter_L_subset_X': "X ∩ L ⊆ X'"
from X_inter_L_subset_X' l_no_X' have "l ↿ (X ∩ L) = []"
by (rule projection_on_subset)
moreover
have "l ↿ (X ∩ L) = (l ↿ L) ↿ X"
by (simp add: Int_commute projection_def)
moreover
note setl_subset_L
ultimately show ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
lemma non_empty_projection_on_subset: "X ⊆ Y ∧ l⇩1 ↿ Y = l⇩2 ↿ Y ⟹ l⇩1 ↿ X = l⇩2 ↿ X"
by (metis projection_subset_eq_from_superset_eq subset_Un_eq)
lemma projection_intersection_neutral: "(set l ⊆ X) ⟹ (l ↿ (X ∩ Y) = l ↿ Y)"
proof -
assume "set l ⊆ X"
hence "(l ↿ X) = l"
by (simp add: list_subset_iff_projection_neutral)
hence "(l ↿ X) ↿ Y = l ↿ Y"
by simp
moreover
have "(l ↿ X) ↿ Y = l ↿ (X ∩ Y)"
by (simp add: projection_def)
ultimately show ?thesis
by simp
qed
lemma projection_commute:
"(l ↿ X) ↿ Y = (l ↿ Y) ↿ X"
by (simp add: projection_def conj_commute)
lemma projection_subset_elim: "Y ⊆ X ⟹ (l ↿ X) ↿ Y = l ↿ Y"
by (simp only: projection_def, metis Diff_subset list_subset_iff_projection_neutral
minus_coset_filter order_trans projection_commute projection_def)
lemma projection_sequence: "(xs ↿ X) ↿ Y = (xs ↿ (X ∩ Y))"
by (metis Int_absorb inf_sup_ord(1) list_subset_iff_projection_neutral
projection_intersection_neutral projection_subset_elim)
fun merge :: "'e set ⇒ 'e set ⇒ 'e list ⇒ 'e list ⇒ 'e list"
where
"merge A B [] t2 = t2" |
"merge A B t1 [] = t1" |
"merge A B (e1 # t1') (e2 # t2') = (if e1 = e2 then
e1 # (merge A B t1' t2')
else (if e1 ∈ (A ∩ B) then
e2 # (merge A B (e1 # t1') t2')
else e1 # (merge A B t1' (e2 # t2'))))"
lemma merge_property: "⟦set t1 ⊆ A; set t2 ⊆ B; t1 ↿ B = t2 ↿ A ⟧
⟹ let t = (merge A B t1 t2) in (t ↿ A = t1 ∧ t ↿ B = t2 ∧ set t ⊆ ((set t1) ∪ (set t2)))"
unfolding Let_def
proof (induct A B t1 t2 rule: merge.induct)
case (1 A B t2) thus ?case
by (metis Un_empty_left empty_subsetI list_subset_iff_projection_neutral
merge.simps(1) set_empty subset_iff_psubset_eq)
next
case (2 A B t1) thus ?case
by (metis Un_empty_right empty_subsetI list_subset_iff_projection_neutral
merge.simps(2) set_empty subset_refl)
next
case (3 A B e1 t1' e2 t2') thus ?case
proof (cases)
assume e1_is_e2: "e1 = e2"
note e1_is_e2
moreover
from 3(4) have "set t1' ⊆ A"
by auto
moreover
from 3(5) have "set t2' ⊆ B"
by auto
moreover
from e1_is_e2 3(4-6) have "t1' ↿ B = t2' ↿ A"
by (simp add: projection_def)
moreover
note 3(1)
ultimately have ind1: "merge A B t1' t2' ↿ A = t1'"
and ind2: "merge A B t1' t2' ↿ B = t2'"
and ind3: "set (merge A B t1' t2') ⊆ (set t1') ∪ (set t2')"
by auto
from e1_is_e2 have merge_eq:
"merge A B (e1 # t1') (e2 # t2') = e1 # (merge A B t1' t2')"
by auto
from 3(4) ind1 have goal1:
"merge A B (e1 # t1') (e2 # t2') ↿ A = e1 # t1'"
by (simp only: merge_eq projection_def, auto)
moreover
from e1_is_e2 3(5) ind2 have goal2:
"merge A B (e1 # t1') (e2 # t2') ↿ B = e2 # t2'"
by (simp only: merge_eq projection_def, auto)
moreover
from ind3 have goal3:
"set (merge A B (e1 # t1') (e2 # t2')) ⊆ set (e1 # t1') ∪ set (e2 # t2')"
by (simp only: merge_eq, auto)
ultimately show ?thesis
by auto
next
assume e1_isnot_e2: "e1 ≠ e2"
show ?thesis
proof (cases)
assume e1_in_A_inter_B: "e1 ∈ A ∩ B"
from 3(6) e1_isnot_e2 e1_in_A_inter_B have e2_notin_A: "e2 ∉ A"
by (simp add: projection_def, auto)
note e1_isnot_e2 e1_in_A_inter_B 3(4)
moreover
from 3(5) have "set t2' ⊆ B"
by auto
moreover
from 3(6) e1_isnot_e2 e1_in_A_inter_B have "(e1 # t1') ↿ B = t2' ↿ A"
by (simp add: projection_def, auto)
moreover
note 3(2)
ultimately have ind1: "merge A B (e1 # t1') t2' ↿ A = (e1 # t1')"
and ind2: "merge A B (e1 # t1') t2' ↿ B = t2'"
and ind3: "set (merge A B (e1 # t1') t2') ⊆ set (e1 # t1') ∪ set t2'"
by auto
from e1_isnot_e2 e1_in_A_inter_B
have merge_eq:
"merge A B (e1 # t1') (e2 # t2') = e2 # (merge A B (e1 # t1') t2')"
by auto
from e1_isnot_e2 ind1 e2_notin_A have goal1:
"merge A B (e1 # t1') (e2 # t2') ↿ A = e1 # t1'"
by (simp only: merge_eq projection_def, auto)
moreover
from 3(5) ind2 have goal2: "merge A B (e1 # t1') (e2 # t2') ↿ B = e2 # t2'"
by (simp only: merge_eq projection_def, auto)
moreover
from 3(5) ind3 have goal3:
"set (merge A B (e1 # t1') (e2 # t2')) ⊆ set (e1 # t1') ∪ set (e2 # t2')"
by (simp only: merge_eq, auto)
ultimately show ?thesis
by auto
next
assume e1_notin_A_inter_B: "e1 ∉ A ∩ B"
from 3(4) e1_notin_A_inter_B have e1_notin_B: "e1 ∉ B"
by auto
note e1_isnot_e2 e1_notin_A_inter_B
moreover
from 3(4) have "set t1' ⊆ A"
by auto
moreover
note 3(5)
moreover
from 3(6) e1_notin_B have "t1' ↿ B = (e2 # t2') ↿ A"
by (simp add: projection_def)
moreover
note 3(3)
ultimately have ind1: "merge A B t1' (e2 # t2') ↿ A = t1'"
and ind2: "merge A B t1' (e2 # t2') ↿ B = (e2 # t2')"
and ind3: "set (merge A B t1' (e2 # t2')) ⊆ set t1' ∪ set (e2 # t2')"
by auto
from e1_isnot_e2 e1_notin_A_inter_B
have merge_eq: "merge A B (e1 # t1') (e2 # t2') = e1 # (merge A B t1' (e2 # t2'))"
by auto
from 3(4) ind1 have goal1: "merge A B (e1 # t1') (e2 # t2') ↿ A = e1 # t1'"
by (simp only: merge_eq projection_def, auto)
moreover
from ind2 e1_notin_B have goal2:
"merge A B (e1 # t1') (e2 # t2') ↿ B = e2 # t2'"
by (simp only: merge_eq projection_def, auto)
moreover
from 3(4) ind3 have goal3:
"set (merge A B (e1 # t1') (e2 # t2')) ⊆ set (e1 # t1') ∪ set (e2 # t2')"
by (simp only: merge_eq, auto)
ultimately show ?thesis
by auto
qed
qed
qed
end
Theory Prefix
theory Prefix
imports Main
begin
definition prefix :: "'e list ⇒ 'e list ⇒ bool" (infixl "≼" 100)
where
"(l1 ≼ l2) ≡ (∃l3. l1 @ l3 = l2)"
definition prefixclosed :: "('e list) set ⇒ bool"
where
"prefixclosed tr ≡ (∀l1 ∈ tr. ∀l2. l2 ≼ l1 ⟶ l2 ∈ tr)"
lemma empty_prefix_of_all: "[] ≼ l"
using prefix_def [of "[]" l] by simp
lemma empty_trace_contained: "⟦ prefixclosed tr ; tr ≠ {} ⟧ ⟹ [] ∈ tr"
proof -
assume 1: "prefixclosed tr" and
2: "tr ≠ {}"
then obtain l1 where "l1 ∈ tr"
by auto
with 1 have "∀l2. l2 ≼ l1 ⟶ l2 ∈ tr"
by (simp add: prefixclosed_def)
thus "[] ∈ tr"
by (simp add: empty_prefix_of_all)
qed
lemma transitive_prefix: "⟦ l1 ≼ l2 ; l2 ≼ l3 ⟧ ⟹ l1 ≼ l3"
by (auto simp add: prefix_def)
end
Theory EventSystems
theory EventSystems
imports "../Basics/Prefix" "../Basics/Projection"
begin
record 'e ES_rec =
E_ES :: "'e set"
I_ES :: "'e set"
O_ES :: "'e set"
Tr_ES :: "('e list) set"
abbreviation ESrecEES :: "'e ES_rec ⇒ 'e set"
("E⇘_⇙" [1000] 1000)
where
"E⇘ES⇙ ≡ (E_ES ES)"
abbreviation ESrecIES :: "'e ES_rec ⇒ 'e set"
("I⇘_⇙" [1000] 1000)
where
"I⇘ES⇙ ≡ (I_ES ES)"
abbreviation ESrecOES :: "'e ES_rec ⇒ 'e set"
("O⇘_⇙" [1000] 1000)
where
"O⇘ES⇙ ≡ (O_ES ES)"
abbreviation ESrecTrES :: "'e ES_rec ⇒ ('e list) set"
("Tr⇘_⇙" [1000] 1000)
where
"Tr⇘ES⇙ ≡ (Tr_ES ES)"
definition es_inputs_are_events :: "'e ES_rec ⇒ bool"
where
"es_inputs_are_events ES ≡ I⇘ES⇙ ⊆ E⇘ES⇙"
definition es_outputs_are_events :: "'e ES_rec ⇒ bool"
where
"es_outputs_are_events ES ≡ O⇘ES⇙ ⊆ E⇘ES⇙"
definition es_inputs_outputs_disjoint :: "'e ES_rec ⇒ bool"
where
"es_inputs_outputs_disjoint ES ≡ I⇘ES⇙ ∩ O⇘ES⇙ = {}"
definition traces_contain_events :: "'e ES_rec ⇒ bool"
where
"traces_contain_events ES ≡ ∀l ∈ Tr⇘ES⇙. ∀e ∈ (set l). e ∈ E⇘ES⇙"
definition traces_prefixclosed :: "'e ES_rec ⇒ bool"
where
"traces_prefixclosed ES ≡ prefixclosed Tr⇘ES⇙"
definition ES_valid :: "'e ES_rec ⇒ bool"
where
"ES_valid ES ≡
es_inputs_are_events ES ∧ es_outputs_are_events ES
∧ es_inputs_outputs_disjoint ES ∧ traces_contain_events ES
∧ traces_prefixclosed ES"
definition total :: "'e ES_rec ⇒ 'e set ⇒ bool"
where
"total ES E ≡ E ⊆ E⇘ES⇙ ∧ (∀τ ∈ Tr⇘ES⇙. ∀e ∈ E. τ @ [e] ∈ Tr⇘ES⇙)"
lemma totality: "⟦ total ES E; t ∈ Tr⇘ES⇙; set t' ⊆ E ⟧ ⟹ t @ t' ∈ Tr⇘ES⇙"
by (induct t' rule: rev_induct, force, simp only: total_def, auto)
definition composeES :: "'e ES_rec ⇒ 'e ES_rec ⇒ 'e ES_rec"
where
"composeES ES1 ES2 ≡
⦇
E_ES = E⇘ES1⇙ ∪ E⇘ES2⇙,
I_ES = (I⇘ES1⇙ - O⇘ES2⇙) ∪ (I⇘ES2⇙ - O⇘ES1⇙),
O_ES = (O⇘ES1⇙ - I⇘ES2⇙) ∪ (O⇘ES2⇙ - I⇘ES1⇙),
Tr_ES = {τ . (τ ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙ ∧ (τ ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙
∧ (set τ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙)}
⦈"
abbreviation composeESAbbrv :: "'e ES_rec ⇒ 'e ES_rec ⇒ 'e ES_rec"
("_ ∥ _"[1000] 1000)
where
"ES1 ∥ ES2 ≡ (composeES ES1 ES2)"
definition composable :: "'e ES_rec ⇒ 'e ES_rec ⇒ bool"
where
"composable ES1 ES2 ≡ (E⇘ES1⇙ ∩ E⇘ES2⇙) ⊆ ((O⇘ES1⇙ ∩ I⇘ES2⇙) ∪ (O⇘ES2⇙ ∩ I⇘ES1⇙))"
lemma composeES_yields_ES:
"⟦ ES_valid ES1; ES_valid ES2 ⟧ ⟹ ES_valid (ES1 ∥ ES2)"
unfolding ES_valid_def
proof (auto)
assume ES1_inputs_are_events: "es_inputs_are_events ES1"
assume ES2_inputs_are_events: "es_inputs_are_events ES2"
show "es_inputs_are_events (ES1 ∥ ES2)" unfolding composeES_def es_inputs_are_events_def
proof (simp)
have subgoal11: "I⇘ES1⇙ - O⇘ES2⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙"
proof (auto)
fix x
assume "x ∈ I⇘ES1⇙"
with ES1_inputs_are_events show "x ∈ E⇘ES1⇙"
by (auto simp add: es_inputs_are_events_def)
qed
have subgoal12: "I⇘ES2⇙ - O⇘ES1⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙"
proof (rule subsetI, rule UnI2, auto)
fix x
assume "x ∈ I⇘ES2⇙"
with ES2_inputs_are_events show "x ∈ E⇘ES2⇙"
by (auto simp add: es_inputs_are_events_def)
qed
from subgoal11 subgoal12
show "I⇘ES1⇙ - O⇘ES2⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙ ∧ I⇘ES2⇙ - O⇘ES1⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙" ..
qed
next
assume ES1_outputs_are_events: "es_outputs_are_events ES1"
assume ES2_outputs_are_events: "es_outputs_are_events ES2"
show "es_outputs_are_events (ES1 ∥ ES2)"
unfolding composeES_def es_outputs_are_events_def
proof (simp)
have subgoal21: "O⇘ES1⇙ - I⇘ES2⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙"
proof (auto)
fix x
assume "x ∈ O⇘ES1⇙"
with ES1_outputs_are_events show "x ∈ E⇘ES1⇙"
by (auto simp add: es_outputs_are_events_def)
qed
have subgoal22: "O⇘ES2⇙ - I⇘ES1⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙"
proof (rule subsetI, rule UnI2, auto)
fix x
assume "x ∈ O⇘ES2⇙"
with ES2_outputs_are_events show "x ∈ E⇘ES2⇙"
by (auto simp add: es_outputs_are_events_def)
qed
from subgoal21 subgoal22
show "O⇘ES1⇙ - I⇘ES2⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙ ∧ O⇘ES2⇙ - I⇘ES1⇙ ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙" ..
qed
next
assume ES1_inputs_outputs_disjoint: "es_inputs_outputs_disjoint ES1"
assume ES2_inputs_outputs_disjoint: "es_inputs_outputs_disjoint ES2"
show "es_inputs_outputs_disjoint (ES1 ∥ ES2)"
unfolding composeES_def es_inputs_outputs_disjoint_def
proof (simp)
have subgoal31:
"{} ⊆ (I⇘ES1⇙ - O⇘ES2⇙ ∪ (I⇘ES2⇙ - O⇘ES1⇙)) ∩ (O⇘ES1⇙ - I⇘ES2⇙ ∪ (O⇘ES2⇙ - I⇘ES1⇙))"
by auto
have subgoal32:
"(I⇘ES1⇙ - O⇘ES2⇙ ∪ (I⇘ES2⇙ - O⇘ES1⇙)) ∩ (O⇘ES1⇙ - I⇘ES2⇙ ∪ (O⇘ES2⇙ - I⇘ES1⇙)) ⊆ {}"
proof (rule subsetI, erule IntE)
fix x
assume ass1: "x ∈ I⇘ES1⇙ - O⇘ES2⇙ ∪ (I⇘ES2⇙ - O⇘ES1⇙)"
then have ass1': "x ∈ I⇘ES1⇙ - O⇘ES2⇙ ∨ x ∈ (I⇘ES2⇙ - O⇘ES1⇙)"
by auto
assume ass2: "x ∈ O⇘ES1⇙ - I⇘ES2⇙ ∪ (O⇘ES2⇙ - I⇘ES1⇙)"
then have ass2':"x ∈ O⇘ES1⇙ - I⇘ES2⇙ ∨ x ∈ (O⇘ES2⇙ - I⇘ES1⇙)"
by auto
note ass1'
moreover {
assume left1: "x ∈ I⇘ES1⇙ - O⇘ES2⇙"
note ass2'
moreover {
assume left2: "x ∈ O⇘ES1⇙ - I⇘ES2⇙"
with left1 have "x∈ (I⇘ES1⇙) ∩ (O⇘ES1⇙)"
by (auto)
with ES1_inputs_outputs_disjoint have "x∈{}"
by (auto simp add: es_inputs_outputs_disjoint_def)
}
moreover {
assume right2: "x ∈ (O⇘ES2⇙ - I⇘ES1⇙)"
with left1 have "x∈ (I⇘ES1⇙ - I⇘ES1⇙)"
by auto
hence "x∈{}"
by auto
}
ultimately have "x∈{}" ..
}
moreover {
assume right1: "x ∈ I⇘ES2⇙ - O⇘ES1⇙"
note ass2'
moreover {
assume left2: "x ∈ O⇘ES1⇙ - I⇘ES2⇙"
with right1 have "x∈ (I⇘ES2⇙ - I⇘ES2⇙)"
by auto
hence "x∈{}"
by auto
}
moreover {
assume right2: "x ∈ (O⇘ES2⇙ - I⇘ES1⇙)"
with right1 have "x ∈ (I⇘ES2⇙ ∩ O⇘ES2⇙)"
by auto
with ES2_inputs_outputs_disjoint have "x∈{}"
by (auto simp add: es_inputs_outputs_disjoint_def)
}
ultimately have "x∈{}" ..
}
ultimately show "x∈{}" ..
qed
from subgoal31 subgoal32
show "(I⇘ES1⇙ - O⇘ES2⇙ ∪ (I⇘ES2⇙ - O⇘ES1⇙)) ∩ (O⇘ES1⇙ - I⇘ES2⇙ ∪ (O⇘ES2⇙ - I⇘ES1⇙)) = {}"
by auto
qed
next
show "traces_contain_events (ES1 ∥ ES2)" unfolding composeES_def traces_contain_events_def
proof (clarsimp)
fix l e
assume "e ∈ set l"
and "set l ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙"
then have e_in_union: "e ∈ E⇘ES1⇙ ∪ E⇘ES2⇙"
by auto
assume "e ∉ E⇘ES2⇙"
with e_in_union show "e ∈ E⇘ES1⇙"
by auto
qed
next
assume ES1_traces_prefixclosed: "traces_prefixclosed ES1"
assume ES2_traces_prefixclosed: "traces_prefixclosed ES2"
show "traces_prefixclosed (ES1 ∥ ES2)"
unfolding composeES_def traces_prefixclosed_def prefixclosed_def prefix_def
proof (clarsimp)
fix l2 l3
have l2l3split: "(l2 @ l3) ↿ E⇘ES1⇙ = (l2 ↿ E⇘ES1⇙) @ (l3 ↿ E⇘ES1⇙)"
by (rule projection_concatenation_commute)
assume "(l2 @ l3) ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
with l2l3split have l2l3cattrace: "(l2 ↿ E⇘ES1⇙) @ (l3 ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
by auto
have theprefix: "(l2 ↿ E⇘ES1⇙) ≼ ((l2 ↿ E⇘ES1⇙) @ (l3 ↿ E⇘ES1⇙))"
by (simp add: prefix_def)
have prefixclosure: "∀ es1 ∈ (Tr⇘ES1⇙). ∀ es2. es2 ≼ es1 ⟶ es2 ∈ (Tr⇘ES1⇙)"
by (clarsimp, insert ES1_traces_prefixclosed, unfold traces_prefixclosed_def prefixclosed_def,
erule_tac x="es1" in ballE, erule_tac x="es2" in allE, erule impE, auto)
hence
" ((l2 ↿ E⇘ES1⇙) @ (l3 ↿ E⇘ES1⇙)) ∈ Tr⇘ES1⇙ ⟹ ∀ es2. es2 ≼ ((l2 ↿ E⇘ES1⇙) @ (l3 ↿ E⇘ES1⇙))
⟶ es2 ∈ Tr⇘ES1⇙" ..
with l2l3cattrace have "∀ es2. es2 ≼ ((l2 ↿ E⇘ES1⇙) @ (l3 ↿ E⇘ES1⇙)) ⟶ es2 ∈ Tr⇘ES1⇙"
by auto
hence "(l2 ↿ E⇘ES1⇙) ≼ ((l2 ↿ E⇘ES1⇙) @ (l3 ↿ E⇘ES1⇙)) ⟶ (l2 ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙" ..
with theprefix have goal51: "(l2 ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
by simp
have l2l3split: "(l2 @ l3) ↿ E⇘ES2⇙ = (l2 ↿ E⇘ES2⇙) @ (l3 ↿ E⇘ES2⇙)"
by (rule projection_concatenation_commute)
assume "(l2 @ l3) ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
with l2l3split have l2l3cattrace: "(l2 ↿ E⇘ES2⇙) @ (l3 ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by auto
have theprefix: "(l2 ↿ E⇘ES2⇙) ≼ ((l2 ↿ E⇘ES2⇙) @ (l3 ↿ E⇘ES2⇙))"
by (simp add: prefix_def)
have prefixclosure: "∀ es1 ∈ Tr⇘ES2⇙. ∀es2. es2 ≼ es1 ⟶ es2 ∈ Tr⇘ES2⇙"
by (clarsimp, insert ES2_traces_prefixclosed,
unfold traces_prefixclosed_def prefixclosed_def,
erule_tac x="es1" in ballE, erule_tac x="es2" in allE, erule impE, auto)
hence " ((l2 ↿ E⇘ES2⇙) @ (l3 ↿ E⇘ES2⇙)) ∈ Tr⇘ES2⇙
⟹ ∀ es2. es2 ≼ ((l2 ↿ E⇘ES2⇙) @ (l3 ↿ E⇘ES2⇙)) ⟶ es2 ∈ Tr⇘ES2⇙" ..
with l2l3cattrace have "∀ es2. es2 ≼ ((l2 ↿ E⇘ES2⇙) @ (l3 ↿ E⇘ES2⇙)) ⟶ es2 ∈ Tr⇘ES2⇙"
by auto
hence "(l2 ↿ E⇘ES2⇙) ≼ ((l2 ↿ E⇘ES2⇙) @ (l3 ↿ E⇘ES2⇙)) ⟶ (l2 ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙" ..
with theprefix have goal52: "(l2 ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by simp
from goal51 goal52 show goal5: "l2 ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙ ∧ l2 ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙" ..
qed
qed
end
Theory StateEventSystems
theory StateEventSystems
imports EventSystems
begin
record ('s, 'e) SES_rec =
S_SES :: "'s set"
s0_SES :: "'s"
E_SES :: "'e set"
I_SES :: "'e set"
O_SES :: "'e set"
T_SES :: "'s ⇒ 'e ⇀ 's"
abbreviation SESrecSSES :: "('s, 'e) SES_rec ⇒ 's set"
("S⇘_⇙" [1000] 1000)
where
"S⇘SES⇙ ≡ (S_SES SES)"
abbreviation SESrecs0SES :: "('s, 'e) SES_rec ⇒ 's"
("s0⇘_⇙" [1000] 1000)
where
"s0⇘SES⇙ ≡ (s0_SES SES)"
abbreviation SESrecESES :: "('s, 'e) SES_rec ⇒ 'e set"
("E⇘_⇙" [1000] 1000)
where
"E⇘SES⇙ ≡ (E_SES SES)"
abbreviation SESrecISES :: "('s, 'e) SES_rec ⇒ 'e set"
("I⇘_⇙" [1000] 1000)
where
"I⇘SES⇙ ≡ (I_SES SES)"
abbreviation SESrecOSES :: "('s, 'e) SES_rec ⇒ 'e set"
("O⇘_⇙" [1000] 1000)
where
"O⇘SES⇙ ≡ (O_SES SES)"
abbreviation SESrecTSES :: "('s, 'e) SES_rec ⇒ ('s ⇒ 'e ⇀ 's)"
("T⇘_⇙" [1000] 1000)
where
"T⇘SES⇙ ≡ (T_SES SES)"
abbreviation TSESpred :: "'s ⇒ 'e ⇒ ('s, 'e) SES_rec ⇒ 's ⇒ bool"
("_ _⟶⇘_⇙ _" [100,100,100,100] 100)
where
"s e⟶⇘SES⇙ s' ≡ (T⇘SES⇙ s e = Some s')"
definition s0_is_state :: "('s, 'e) SES_rec ⇒ bool"
where
"s0_is_state SES ≡ s0⇘SES⇙ ∈ S⇘SES⇙"
definition ses_inputs_are_events :: "('s, 'e) SES_rec ⇒ bool"
where
"ses_inputs_are_events SES ≡ I⇘SES⇙ ⊆ E⇘SES⇙"
definition ses_outputs_are_events :: "('s, 'e) SES_rec ⇒ bool"
where
"ses_outputs_are_events SES ≡ O⇘SES⇙ ⊆ E⇘SES⇙"
definition ses_inputs_outputs_disjoint :: "('s, 'e) SES_rec ⇒ bool"
where
"ses_inputs_outputs_disjoint SES ≡ I⇘SES⇙ ∩ O⇘SES⇙ = {}"
definition correct_transition_relation :: "('s, 'e) SES_rec ⇒ bool"
where
"correct_transition_relation SES ≡
∀x y z. x y⟶⇘SES⇙ z ⟶ ((x ∈ S⇘SES⇙) ∧ (y ∈ E⇘SES⇙) ∧ (z ∈ S⇘SES⇙))"
definition SES_valid :: "('s, 'e) SES_rec ⇒ bool"
where
"SES_valid SES ≡
s0_is_state SES ∧ ses_inputs_are_events SES
∧ ses_outputs_are_events SES ∧ ses_inputs_outputs_disjoint SES ∧
correct_transition_relation SES"
primrec path :: "('s, 'e) SES_rec ⇒ 's ⇒ 'e list ⇀ 's"
where
path_empt: "path SES s1 [] = (Some s1)" |
path_nonempt: "path SES s1 (e # t) =
(if (∃s2. s1 e⟶⇘SES⇙ s2)
then (path SES (the (T⇘SES⇙ s1 e)) t)
else None)"
abbreviation pathpred :: "'s ⇒ 'e list ⇒ ('s, 'e) SES_rec ⇒ 's ⇒ bool"
("_ _⟹⇘_⇙ _" [100, 100, 100, 100] 100)
where
"s t⟹⇘SES⇙ s' ≡ path SES s t = Some s'"
definition reachable :: "('s, 'e) SES_rec ⇒ 's ⇒ bool"
where
"reachable SES s ≡ (∃t. s0⇘SES⇙ t⟹⇘SES⇙ s)"
definition enabled :: "('s, 'e) SES_rec ⇒ 's ⇒ 'e list ⇒ bool"
where
"enabled SES s t ≡ (∃s'. s t⟹⇘SES⇙ s')"
definition possible_traces :: "('s, 'e) SES_rec ⇒ ('e list) set"
where
"possible_traces SES ≡ {t. (enabled SES s0⇘SES⇙ t)}"
definition induceES :: "('s, 'e) SES_rec ⇒ 'e ES_rec"
where
"induceES SES ≡
⦇
E_ES = E⇘SES⇙,
I_ES = I⇘SES⇙,
O_ES = O⇘SES⇙,
Tr_ES = possible_traces SES
⦈"
lemma none_remains_none : "⋀ s e. (path SES s t) = None
⟹ (path SES s (t @ [e])) = None"
by (induct t, auto)
lemma path_trans_single_neg: "⋀ s1. ⟦s1 t⟹⇘SES⇙ s2; ¬ (s2 e⟶⇘SES⇙ sn)⟧
⟹ ¬ (s1 (t @ [e])⟹⇘SES⇙ sn)"
by (induct t, auto)
lemma path_split_single: "s1 (t@[e])⟹⇘SES⇙ sn
⟹ ∃s'. s1 t⟹⇘SES⇙ s' ∧ s' e⟶⇘SES⇙ sn"
by (cases "path SES s1 t", simp add: none_remains_none,
simp, rule ccontr, auto simp add: path_trans_single_neg)
lemma path_trans_single: "⋀s. ⟦ s t⟹⇘SES⇙ s'; s' e⟶⇘SES⇙ sn ⟧
⟹ s (t @ [e])⟹⇘SES⇙ sn"
proof (induct t)
case Nil thus ?case by auto
next
case (Cons a t) thus ?case
proof -
from Cons obtain s1' where trans_s_a_s1': "s a⟶⇘SES⇙ s1'"
by (simp, split if_split_asm, auto)
with Cons have "s1' (t @ [e])⟹⇘SES⇙ sn"
by auto
with trans_s_a_s1' show ?thesis
by auto
qed
qed
lemma path_split: "⋀ sn. ⟦ s1 (t1 @ t2)⟹⇘SES⇙ sn ⟧
⟹ (∃s2. (s1 t1⟹⇘SES⇙ s2 ∧ s2 t2⟹⇘SES⇙ sn))"
proof (induct t2 rule: rev_induct)
case Nil thus ?case by auto
next
case (snoc a t) thus ?case
proof -
from snoc have "s1 (t1 @ t @ [a])⟹⇘SES⇙ sn"
by auto
hence "∃sn'. s1 (t1 @ t)⟹⇘SES⇙ sn' ∧ sn' a⟶⇘SES⇙ sn"
by (simp add: path_split_single)
then obtain sn' where path_t1_t_trans_a:
"s1 (t1 @ t)⟹⇘SES⇙ sn' ∧ sn' a⟶⇘SES⇙ sn"
by auto
with snoc obtain s2 where path_t1_t:
"s1 t1⟹⇘SES⇙ s2 ∧ s2 t⟹⇘SES⇙ sn'"
by auto
with path_t1_t_trans_a have "s2 (t @ [a])⟹⇘SES⇙ sn"
by (simp add: path_trans_single)
with path_t1_t show ?thesis by auto
qed
qed
lemma path_trans:
"⋀sn. ⟦ s1 l1⟹⇘SES⇙ s2; s2 l2⟹⇘SES⇙ sn ⟧ ⟹ s1 (l1 @ l2)⟹⇘SES⇙ sn"
proof (induct l2 rule: rev_induct)
case Nil thus ?case by auto
next
case (snoc a l) thus ?case
proof -
assume path_l1: "s1 l1⟹⇘SES⇙ s2"
assume "s2 (l@[a])⟹⇘SES⇙ sn"
hence "∃sn'. s2 l⟹⇘SES⇙ sn' ∧ sn' [a]⟹⇘SES⇙ sn"
by (simp add: path_split del: path_nonempt)
then obtain sn' where path_l_a: "s2 l⟹⇘SES⇙ sn' ∧ sn' [a]⟹⇘SES⇙ sn"
by auto
with snoc path_l1 have path_l1_l: "s1 (l1@l)⟹⇘SES⇙ sn'"
by auto
with path_l_a have "sn' a⟶⇘SES⇙ sn"
by (simp, split if_split_asm, auto)
with path_l1_l show "s1 (l1 @ l @ [a])⟹⇘SES⇙ sn"
by (subst append_assoc[symmetric], rule_tac s'="sn'" in path_trans_single, auto)
qed
qed
lemma enabledPrefixSingle : "⟦ enabled SES s (t@[e]) ⟧ ⟹ enabled SES s t"
unfolding enabled_def
proof -
assume ass: "∃s'. s (t @ [e])⟹⇘SES⇙ s'"
from ass obtain s' where "s (t @ [e])⟹⇘SES⇙ s'" ..
hence "∃t'. (s t⟹⇘SES⇙ t') ∧ (t' e⟶⇘SES⇙ s')"
by (rule path_split_single)
then obtain t' where "s t⟹⇘SES⇙ t'"
by (auto)
thus "∃s'. s t⟹⇘SES⇙ s'" ..
qed
lemma enabledPrefix : "⟦ enabled SES s (t1 @ t2) ⟧ ⟹ enabled SES s t1"
unfolding enabled_def
proof -
assume ass: "∃s'. s (t1 @ t2)⟹⇘SES⇙ s'"
from ass obtain s' where "s (t1 @ t2)⟹⇘SES⇙ s'" ..
hence "∃t. (s t1⟹⇘SES⇙ t ∧ t t2⟹⇘SES⇙ s')"
by (rule path_split)
then obtain t where "s t1⟹⇘SES⇙ t"
by (auto)
then show "∃s'. s t1⟹⇘SES⇙ s'" ..
qed
lemma enabledPrefixSingleFinalStep : "⟦ enabled SES s (t@[e]) ⟧ ⟹ ∃ t' t''. t' e⟶⇘SES⇙ t''"
unfolding enabled_def
proof -
assume ass: "∃s'. s (t @ [e])⟹⇘SES⇙ s'"
from ass obtain s' where "s (t @ [e])⟹⇘SES⇙ s'" ..
hence "∃t'. (s t⟹⇘SES⇙ t') ∧ (t' e⟶⇘SES⇙ s')"
by (rule path_split_single)
then obtain t' where "t' e⟶⇘SES⇙ s'"
by (auto)
thus "∃t' t''. t' e⟶⇘SES⇙ t''"
by (auto)
qed
lemma induceES_yields_ES:
"SES_valid SES ⟹ ES_valid (induceES SES)"
proof (simp add: SES_valid_def ES_valid_def, auto)
assume SES_inputs_are_events: "ses_inputs_are_events SES"
thus "es_inputs_are_events (induceES SES)"
by (simp add: induceES_def ses_inputs_are_events_def es_inputs_are_events_def)
next
assume SES_outputs_are_events: "ses_outputs_are_events SES"
thus "es_outputs_are_events (induceES SES)"
by (simp add: induceES_def ses_outputs_are_events_def es_outputs_are_events_def)
next
assume SES_inputs_outputs_disjoint: "ses_inputs_outputs_disjoint SES"
thus "es_inputs_outputs_disjoint (induceES SES)"
by (simp add: induceES_def ses_inputs_outputs_disjoint_def es_inputs_outputs_disjoint_def)
next
assume SES_correct_transition_relation: "correct_transition_relation SES"
thus "traces_contain_events (induceES SES)"
unfolding induceES_def traces_contain_events_def possible_traces_def
proof (auto)
fix l e
assume enabled_l: "enabled SES s0⇘SES⇙ l"
assume e_in_l: "e ∈ set l"
from enabled_l e_in_l show "e ∈ E⇘SES⇙"
proof (induct l rule: rev_induct)
case Nil
assume e_in_empty_list: "e ∈ set []"
hence f: "False"
by (auto)
thus ?case
by auto
next
case (snoc a l)
from snoc.prems have l_enabled: "enabled SES s0⇘SES⇙ l"
by (simp add: enabledPrefixSingle)
show ?case
proof (cases "e ∈ (set l)")
from snoc.hyps l_enabled show "e ∈ set l ⟹ e ∈ E⇘SES⇙"
by auto
show "e ∉ set l ⟹ e ∈ E⇘SES⇙"
proof -
assume "e ∉ set l"
with snoc.prems have e_eq_a : "e=a"
by auto
from snoc.prems have "∃ t t'. t a⟶⇘SES⇙ t'"
by (auto simp add: enabledPrefixSingleFinalStep)
then obtain t t' where "t a⟶⇘SES⇙ t'"
by auto
with e_eq_a SES_correct_transition_relation show "e ∈ E⇘SES⇙"
by (simp add: correct_transition_relation_def)
qed
qed
qed
qed
next
show "traces_prefixclosed (induceES SES)"
unfolding traces_prefixclosed_def prefixclosed_def induceES_def possible_traces_def prefix_def
by (clarsimp simp add: enabledPrefix)
qed
end
Theory Views
theory Views
imports Main
begin
record 'e V_rec =
V :: "'e set"
N :: "'e set"
C :: "'e set"
abbreviation VrecV :: "'e V_rec ⇒ 'e set"
("V⇘_⇙" [100] 1000)
where
"V⇘v⇙ ≡ (V v)"
abbreviation VrecN :: "'e V_rec ⇒ 'e set"
("N⇘_⇙" [100] 1000)
where
"N⇘v⇙ ≡ (N v)"
abbreviation VrecC :: "'e V_rec ⇒ 'e set"
("C⇘_⇙" [100] 1000)
where
"C⇘v⇙ ≡ (C v)"
definition VN_disjoint :: "'e V_rec ⇒ bool"
where
"VN_disjoint v ≡ V⇘v⇙ ∩ N⇘v⇙ = {}"
definition VC_disjoint :: "'e V_rec ⇒ bool"
where
"VC_disjoint v ≡ V⇘v⇙ ∩ C⇘v⇙ = {}"
definition NC_disjoint :: "'e V_rec ⇒ bool"
where
"NC_disjoint v ≡ N⇘v⇙ ∩ C⇘v⇙ = {}"
definition V_valid :: "'e V_rec ⇒ bool"
where
"V_valid v ≡ VN_disjoint v ∧ VC_disjoint v ∧ NC_disjoint v"
definition isViewOn :: "'e V_rec ⇒ 'e set ⇒ bool"
where
"isViewOn 𝒱 E ≡ V_valid 𝒱 ∧ V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙ = E"
end
Theory FlowPolicies
theory FlowPolicies
imports Views
begin
record 'domain FlowPolicy_rec =
D :: "'domain set"
v_rel :: "('domain × 'domain) set"
n_rel :: "('domain × 'domain) set"
c_rel :: "('domain × 'domain) set"
definition FlowPolicy :: "'domain FlowPolicy_rec ⇒ bool"
where
"FlowPolicy fp ≡
((v_rel fp) ∪ (n_rel fp) ∪ (c_rel fp) = ((D fp) × (D fp)))
∧ (v_rel fp) ∩ (n_rel fp) = {}
∧ (v_rel fp) ∩ (c_rel fp) = {}
∧ (n_rel fp) ∩ (c_rel fp) = {}
∧ (∀d ∈ (D fp). (d, d) ∈ (v_rel fp))"
type_synonym ('e, 'domain) dom_type = "'e ⇀ 'domain"
definition dom :: "('e, 'domain) dom_type ⇒ 'domain set ⇒ 'e set ⇒ bool"
where
"dom domas dset es ≡
(∀e. ∀d. ((domas e = Some d) ⟶ (e ∈ es ∧ d ∈ dset)))"
definition view_dom :: "'domain FlowPolicy_rec ⇒ 'domain ⇒ ('e, 'domain) dom_type ⇒ 'e V_rec"
where
"view_dom fp d domas ≡
⦇ V = {e. ∃d'. (domas e = Some d' ∧ (d', d) ∈ (v_rel fp))},
N = {e. ∃d'. (domas e = Some d' ∧ (d', d) ∈ (n_rel fp))},
C = {e. ∃d'. (domas e = Some d' ∧ (d', d) ∈ (c_rel fp))} ⦈"
end
Theory BasicSecurityPredicates
theory BasicSecurityPredicates
imports Views "../Basics/Projection"
begin
definition areTracesOver :: "('e list) set ⇒ 'e set ⇒ bool "
where
"areTracesOver Tr E ≡
∀ τ ∈ Tr. (set τ) ⊆ E"
type_synonym 'e BSP = "'e V_rec ⇒ (('e list) set) ⇒ bool"
definition BSP_valid :: "'e BSP ⇒ bool"
where
"BSP_valid bsp ≡
∀𝒱 Tr E. ( isViewOn 𝒱 E ∧ areTracesOver Tr E )
⟶ (∃ Tr'. Tr' ⊇ Tr ∧ bsp 𝒱 Tr')"
definition R :: "'e BSP"
where
"R 𝒱 Tr ≡
∀τ∈Tr. ∃τ'∈Tr. τ' ↿ C⇘𝒱⇙ = [] ∧ τ' ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙"
lemma BSP_valid_R: "BSP_valid R"
proof -
{
fix 𝒱::"('e V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "R 𝒱 ?Tr'"
proof -
{
fix τ
assume "τ ∈ {t. (set t) ⊆ E}"
let ?τ'="τ↿(V⇘𝒱⇙)"
have "?τ' ↿ C⇘𝒱⇙ = [] ∧ ?τ' ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙"
using ‹isViewOn 𝒱 E› disjoint_projection projection_idempotent
unfolding isViewOn_def V_valid_def VC_disjoint_def by metis
moreover
from ‹τ ∈ {t. (set t) ⊆ E}› have "?τ' ∈ ?Tr'" using ‹isViewOn 𝒱 E›
unfolding isViewOn_def
by (simp add: list_subset_iff_projection_neutral projection_commute)
ultimately
have " ∃τ'∈{t. set t ⊆ E}. τ' ↿ C⇘𝒱⇙ = [] ∧ τ' ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙"
by auto
}
thus ?thesis unfolding R_def
by auto
qed
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ R 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition D :: "'e BSP"
where
"D 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ [c] @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [])
⟶ (∃α' β'. ((β' @ α') ∈ Tr ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []
∧ β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙)))"
lemma BSP_valid_D: "BSP_valid D"
proof -
{
fix 𝒱::"('e V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "D 𝒱 ?Tr'"
unfolding D_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ D 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition I :: "'e BSP"
where
"I 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [])
⟶ (∃α' β'. ((β' @ [c] @ α') ∈ Tr ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []
∧ β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙)))"
lemma BSP_valid_I: "BSP_valid I"
proof -
{
fix 𝒱::"('e V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "I 𝒱 ?Tr'" using ‹isViewOn 𝒱 E›
unfolding isViewOn_def I_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ I 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
type_synonym 'e Rho = "'e V_rec ⇒ 'e set"
definition
Adm :: "'e V_rec ⇒ 'e Rho ⇒ ('e list) set ⇒ 'e list ⇒ 'e ⇒ bool"
where
"Adm 𝒱 ρ Tr β e ≡
∃γ. ((γ @ [e]) ∈ Tr ∧ γ↿(ρ 𝒱) = β↿(ρ 𝒱))"
definition IA :: "'e Rho ⇒ 'e BSP"
where
"IA ρ 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [] ∧ (Adm 𝒱 ρ Tr β c))
⟶ (∃ α' β'. ((β' @ [c] @ α') ∈ Tr) ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙
∧ α'↿C⇘𝒱⇙ = [] ∧ β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙))"
lemma BSP_valid_IA: "BSP_valid (IA ρ) "
proof -
{
fix 𝒱 :: "('a V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "IA ρ 𝒱 ?Tr'" using ‹isViewOn 𝒱 E›
unfolding isViewOn_def IA_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ IA ρ 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition BSD :: "'e BSP"
where
"BSD 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ [c] @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [])
⟶ (∃α'. ((β @ α') ∈ Tr ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []))"
lemma BSP_valid_BSD: "BSP_valid BSD"
proof -
{
fix 𝒱::"('e V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "BSD 𝒱 ?Tr'"
unfolding BSD_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ BSD 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition BSI :: "'e BSP"
where
"BSI 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [])
⟶ (∃α'. ((β @ [c] @ α') ∈ Tr ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []))"
lemma BSP_valid_BSI: "BSP_valid BSI"
proof -
{
fix 𝒱::"('e V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "BSI 𝒱 ?Tr'" using ‹isViewOn 𝒱 E›
unfolding isViewOn_def BSI_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ BSI 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition BSIA :: "'e Rho ⇒ 'e BSP"
where
"BSIA ρ 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [] ∧ (Adm 𝒱 ρ Tr β c))
⟶ (∃α'. ((β @ [c] @ α') ∈ Tr ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []))"
lemma BSP_valid_BSIA: "BSP_valid (BSIA ρ) "
proof -
{
fix 𝒱 :: "('a V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "BSIA ρ 𝒱 ?Tr'" using ‹isViewOn 𝒱 E›
unfolding isViewOn_def BSIA_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ BSIA ρ 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
record 'e Gamma =
Nabla :: "'e set"
Delta :: "'e set"
Upsilon :: "'e set"
abbreviation GammaNabla :: "'e Gamma ⇒ 'e set"
("∇⇘_⇙" [100] 1000)
where
"∇⇘Γ⇙ ≡ (Nabla Γ)"
abbreviation GammaDelta :: "'e Gamma ⇒ 'e set"
("Δ⇘_⇙" [100] 1000)
where
"Δ⇘Γ⇙ ≡ (Delta Γ)"
abbreviation GammaUpsilon :: "'e Gamma ⇒ 'e set"
("Υ⇘_⇙" [100] 1000)
where
"Υ⇘Γ⇙ ≡ (Upsilon Γ)"
definition FCD :: "'e Gamma ⇒ 'e BSP"
where
"FCD Γ 𝒱 Tr ≡
∀α β. ∀c∈(C⇘𝒱⇙ ∩ Υ⇘Γ⇙). ∀v∈(V⇘𝒱⇙ ∩ ∇⇘Γ⇙).
((β @ [c,v] @ α) ∈ Tr ∧ α ↿ C⇘𝒱⇙ = [])
⟶ (∃α'. ∃δ'. (set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)
∧ ((β @ δ' @ [v] @ α') ∈ Tr
∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []))"
lemma BSP_valid_FCD: "BSP_valid (FCD Γ)"
proof -
{
fix 𝒱::"('a V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "FCD Γ 𝒱 ?Tr'"
proof -
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [c ,v] @ α ∈ ?Tr'"
and "α ↿ C⇘𝒱⇙ = []"
let ?α'="α" and ?δ'="[]"
from ‹β @ [c ,v] @ α ∈ ?Tr'› have "β @ ?δ' @ [v] @ ?α' ∈ ?Tr'"
by auto
hence "(set ?δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ ?δ' @ [v] @ ?α') ∈ ?Tr'
∧ ?α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ ?α' ↿ C⇘𝒱⇙ = [])"
using ‹isViewOn 𝒱 E› ‹α ↿ C⇘𝒱⇙ = []›
unfolding isViewOn_def ‹α ↿ C⇘𝒱⇙ = []› by auto
hence "∃α'. ∃δ'. (set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ δ' @ [v] @ α') ∈ ?Tr'
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by blast
}
thus ?thesis
unfolding FCD_def by auto
qed
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ FCD Γ 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition FCI :: "'e Gamma ⇒ 'e BSP"
where
"FCI Γ 𝒱 Tr ≡
∀α β. ∀c∈(C⇘𝒱⇙ ∩ Υ⇘Γ⇙). ∀v∈(V⇘𝒱⇙ ∩ ∇⇘Γ⇙).
((β @ [v] @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [])
⟶ (∃α'. ∃δ'. (set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)
∧ ((β @ [c] @ δ' @ [v] @ α') ∈ Tr
∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []))"
lemma BSP_valid_FCI: "BSP_valid (FCI Γ)"
proof -
{
fix 𝒱::"('a V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "FCI Γ 𝒱 ?Tr'"
proof -
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [v] @ α ∈ ?Tr'"
and "α ↿ C⇘𝒱⇙ = []"
let ?α'="α" and ?δ'="[]"
from ‹c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙› have" c ∈ E"
using ‹isViewOn 𝒱 E›
unfolding isViewOn_def by auto
with ‹β @ [v] @ α ∈ ?Tr'› have "β @ [c] @ ?δ' @ [v] @ ?α' ∈ ?Tr'"
by auto
hence "(set ?δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ [c] @ ?δ' @ [v] @ ?α') ∈ ?Tr'
∧ ?α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ ?α' ↿ C⇘𝒱⇙ = [])"
using ‹isViewOn 𝒱 E› ‹α ↿ C⇘𝒱⇙ = []› unfolding isViewOn_def ‹α ↿ C⇘𝒱⇙ = []› by auto
hence
"∃α'. ∃δ'. (set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ [c] @ δ' @ [v] @ α') ∈ ?Tr'
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by blast
}
thus ?thesis
unfolding FCI_def by auto
qed
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ FCI Γ 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition FCIA :: "'e Rho ⇒ 'e Gamma ⇒ 'e BSP"
where
"FCIA ρ Γ 𝒱 Tr ≡
∀α β. ∀c∈(C⇘𝒱⇙ ∩ Υ⇘Γ⇙). ∀v∈(V⇘𝒱⇙ ∩ ∇⇘Γ⇙).
((β @ [v] @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = [] ∧ (Adm 𝒱 ρ Tr β c))
⟶ (∃α'. ∃δ'. (set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)
∧ ((β @ [c] @ δ' @ [v] @ α') ∈ Tr
∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []))"
lemma BSP_valid_FCIA: "BSP_valid (FCIA ρ Γ) "
proof -
{
fix 𝒱 :: "('a V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "FCIA ρ Γ 𝒱 ?Tr'"
proof -
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [v] @ α ∈ ?Tr'"
and "α ↿ C⇘𝒱⇙ = []"
let ?α'="α" and ?δ'="[]"
from ‹c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙› have" c ∈ E"
using ‹isViewOn 𝒱 E› unfolding isViewOn_def by auto
with ‹β @ [v] @ α ∈ ?Tr'› have "β @ [c] @ ?δ' @ [v] @ ?α' ∈ ?Tr'"
by auto
hence "(set ?δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ [c] @ ?δ' @ [v] @ ?α') ∈ ?Tr'
∧ ?α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ ?α' ↿ C⇘𝒱⇙ = [])"
using ‹isViewOn 𝒱 E› ‹α ↿ C⇘𝒱⇙ = []›
unfolding isViewOn_def ‹α ↿ C⇘𝒱⇙ = []› by auto
hence
"∃α'. ∃δ'. (set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ [c] @ δ' @ [v] @ α') ∈ ?Tr'
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by blast
}
thus ?thesis
unfolding FCIA_def by auto
qed
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ FCIA ρ Γ 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition SR :: "'e BSP"
where
"SR 𝒱 Tr ≡ ∀τ∈Tr. τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ Tr"
lemma "BSP_valid SR"
proof -
{
fix 𝒱::"('e V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. ∃τ ∈ Tr. t=τ↿(V⇘𝒱⇙ ∪ N⇘𝒱⇙)} ∪ Tr"
have "?Tr'⊇ Tr"
by blast
moreover
have "SR 𝒱 ?Tr'" unfolding SR_def
proof
fix τ
assume "τ ∈ ?Tr'"
{
from ‹τ ∈ ?Tr'› have "(∃t∈Tr. τ = t ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)) ∨ τ ∈ Tr"
by auto
hence "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ ?Tr'"
proof
assume "∃t∈Tr. τ = t ↿(V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
hence "∃t∈Tr. τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)= t ↿(V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
using projection_idempotent by metis
thus ?thesis
by auto
next
assume "τ ∈ Tr"
thus ?thesis
by auto
qed
}
thus "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ ?Tr'"
by auto
qed
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ SR 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition SD :: "'e BSP"
where
"SD 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ [c] @ α) ∈ Tr ∧ α↿C⇘𝒱⇙ = []) ⟶ β @ α ∈ Tr"
lemma "BSP_valid SD"
proof -
{
fix 𝒱::"('e V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr" by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "SD 𝒱 ?Tr'" unfolding SD_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ SD 𝒱 Tr'" by auto
}
thus ?thesis unfolding BSP_valid_def by auto
qed
definition SI :: "'e BSP"
where
"SI 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ α) ∈ Tr ∧ α ↿ C⇘𝒱⇙ = []) ⟶ β @ [c] @ α ∈ Tr"
lemma "BSP_valid SI"
proof -
{
fix 𝒱::"('a V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "SI 𝒱 ?Tr'"
using ‹isViewOn 𝒱 E›
unfolding isViewOn_def SI_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ SI 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
definition SIA :: "'e Rho ⇒ 'e BSP"
where
"SIA ρ 𝒱 Tr ≡
∀α β. ∀c∈C⇘𝒱⇙. ((β @ α) ∈ Tr ∧ α ↿ C⇘𝒱⇙ = [] ∧ (Adm 𝒱 ρ Tr β c))
⟶ (β @ [c] @ α) ∈ Tr"
lemma "BSP_valid (SIA ρ) "
proof -
{
fix 𝒱 :: "('a V_rec)"
fix Tr E
assume "isViewOn 𝒱 E"
and "areTracesOver Tr E"
let ?Tr'="{t. (set t) ⊆ E}"
have "?Tr'⊇ Tr"
by (meson Ball_Collect ‹areTracesOver Tr E› areTracesOver_def)
moreover
have "SIA ρ 𝒱 ?Tr'"
using ‹isViewOn 𝒱 E›
unfolding isViewOn_def SIA_def by auto
ultimately
have "∃ Tr'. Tr' ⊇ Tr ∧ SIA ρ 𝒱 Tr'"
by auto
}
thus ?thesis
unfolding BSP_valid_def by auto
qed
end
Theory BSPTaxonomy
theory BSPTaxonomy
imports "../../SystemSpecification/EventSystems"
"../../SecuritySpecification/BasicSecurityPredicates"
begin
locale BSPTaxonomyDifferentCorrections =
fixes ES :: "'e ES_rec"
and 𝒱 :: "'e V_rec"
assumes validES: "ES_valid ES"
and VIsViewOnE: "isViewOn 𝒱 E⇘ES⇙"
locale BSPTaxonomyDifferentViews =
fixes ES :: "'e ES_rec"
and 𝒱⇩1 :: "'e V_rec"
and 𝒱⇩2 :: "'e V_rec"
assumes validES: "ES_valid ES"
and 𝒱⇩1IsViewOnE: "isViewOn 𝒱⇩1 E⇘ES⇙"
and 𝒱⇩2IsViewOnE: "isViewOn 𝒱⇩2 E⇘ES⇙"
locale BSPTaxonomyDifferentViewsFirstDim= BSPTaxonomyDifferentViews +
assumes V2_subset_V1: "V⇘𝒱⇩2⇙ ⊆ V⇘𝒱⇩1⇙"
and N2_supset_N1: "N⇘𝒱⇩2⇙ ⊇ N⇘𝒱⇩1⇙"
and C2_subset_C1: "C⇘𝒱⇩2⇙ ⊆ C⇘𝒱⇩1⇙"
sublocale BSPTaxonomyDifferentViewsFirstDim ⊆ BSPTaxonomyDifferentViews
by (unfold_locales)
locale BSPTaxonomyDifferentViewsSecondDim= BSPTaxonomyDifferentViews +
assumes V2_subset_V1: "V⇘𝒱⇩2⇙ ⊆ V⇘𝒱⇩1⇙"
and N2_supset_N1: "N⇘𝒱⇩2⇙ ⊇ N⇘𝒱⇩1⇙"
and C2_equals_C1: "C⇘𝒱⇩2⇙ = C⇘𝒱⇩1⇙"
sublocale BSPTaxonomyDifferentViewsSecondDim ⊆ BSPTaxonomyDifferentViews
by (unfold_locales)
context BSPTaxonomyDifferentCorrections
begin
lemma SR_implies_R:
"SR 𝒱 Tr⇘ES⇙ ⟹ R 𝒱 Tr⇘ES⇙"
proof -
assume SR: "SR 𝒱 Tr⇘ES⇙"
{
fix τ
assume "τ ∈ Tr⇘ES⇙"
with SR have "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ Tr⇘ES⇙"
unfolding SR_def by auto
hence "∃ τ'. τ' ∈ Tr⇘ES⇙ ∧ τ' ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙ ∧ τ' ↿ C⇘𝒱⇙ = []"
proof -
assume tau_V_N_is_trace: "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ Tr⇘ES⇙"
show "∃ τ'. τ' ∈ Tr⇘ES⇙ ∧ τ' ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙ ∧ τ' ↿ C⇘𝒱⇙ = []"
proof
let ?τ'= "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
have "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙"
by (simp add: projection_subset_elim)
moreover
from VIsViewOnE have "VC_disjoint 𝒱 ∧ NC_disjoint 𝒱"
unfolding isViewOn_def V_valid_def
by auto
then have "(V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∩ C⇘𝒱⇙ = {}"
by (simp add: NC_disjoint_def VC_disjoint_def inf_sup_distrib2)
then have "?τ' ↿ C⇘𝒱⇙ = []"
by (simp add: disjoint_projection)
ultimately
show "?τ' ∈ Tr⇘ES⇙ ∧ ?τ' ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙ ∧ ?τ' ↿ C⇘𝒱⇙ = []"
using tau_V_N_is_trace by auto
qed
qed
}
thus ?thesis
unfolding SR_def R_def by auto
qed
lemma SD_implies_BSD :
"(SD 𝒱 Tr⇘ES⇙) ⟹ BSD 𝒱 Tr⇘ES⇙ "
proof -
assume SD: "SD 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ c # α ∈ Tr⇘ES⇙"
and alpha_C_empty: "α ↿ C⇘𝒱⇙ = []"
with SD have "β @ α ∈ Tr⇘ES⇙"
unfolding SD_def by auto
hence "∃α'. β @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
using alpha_C_empty
by auto
}
thus ?thesis
unfolding SD_def BSD_def by auto
qed
lemma BSD_implies_D:
"BSD 𝒱 Tr⇘ES⇙ ⟹ D 𝒱 Tr⇘ES⇙"
proof -
assume BSD: "BSD 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "α ↿ C⇘𝒱⇙ = []"
and "c ∈ C⇘𝒱⇙"
and "β @ [c] @ α ∈ Tr⇘ES⇙"
with BSD obtain α'
where "β @ α' ∈ Tr⇘ES⇙"
and "α' ↿ V⇘𝒱⇙ = α ↿ V 𝒱"
and "α' ↿ C⇘𝒱⇙ = []"
by (simp add: BSD_def, auto)
hence "(∃α' β'.
(β' @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []) ∧
β' ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙))"
by auto
}
thus ?thesis
unfolding BSD_def D_def
by auto
qed
lemma SD_implies_SR:
"SD 𝒱 Tr⇘ES⇙ ⟹ SR 𝒱 Tr⇘ES⇙"
unfolding SR_def
proof
fix τ
assume SD: "SD 𝒱 Tr⇘ES⇙"
assume τ_trace: "τ ∈ Tr⇘ES⇙"
{
fix n
have SR_via_length: " ⟦ τ ∈ Tr⇘ES⇙; n = length (τ ↿ C⇘𝒱⇙) ⟧
⟹ ∃τ' ∈ Tr⇘ES⇙. τ' ↿ C⇘𝒱⇙ = [] ∧ τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
proof (induct n arbitrary: τ)
case 0
note τ_in_Tr = ‹τ ∈ Tr⇘ES⇙›
and ‹0 = length (τ ↿ C⇘𝒱⇙)›
hence "τ ↿ C⇘𝒱⇙ = []"
by simp
with τ_in_Tr show ?case
by auto
next
case (Suc n)
from projection_split_last[OF Suc(3)] obtain β c α
where c_in_C: "c ∈ C⇘𝒱⇙"
and τ_is_βcα: "τ = β @ [c] @ α"
and α_no_c: "α ↿ C⇘𝒱⇙ = []"
and βα_contains_n_cs: "n = length ((β @ α) ↿ C⇘𝒱⇙)"
by auto
with Suc(2) have βcα_in_Tr: "β @ [c] @ α ∈ Tr⇘ES⇙"
by auto
with SD c_in_C βcα_in_Tr α_no_c obtain β' α'
where β'α'_in_Tr: "(β' @ α') ∈ Tr⇘ES⇙"
and α'_V_is_α_V: "α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
and α'_no_c: "α' ↿ C⇘𝒱⇙ = []"
and β'_VC_is_β_VC: "β' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙) = β ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙)"
unfolding SD_def
by blast
have "(β' @ α') ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
proof -
from β'_VC_is_β_VC have "β' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = β ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (rule projection_subset_eq_from_superset_eq)
with α'_V_is_α_V have "(β' @ α') ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = (β @ α) ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (simp add: projection_def)
moreover
with VIsViewOnE c_in_C have "c ∉ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def NC_disjoint_def, auto)
hence "(β @ α) ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = (β @ [c] @ α) ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (simp add: projection_def)
moreover note τ_is_βcα
ultimately show ?thesis
by auto
qed
moreover
have "n = length ((β' @ α') ↿ C⇘𝒱⇙)"
proof -
have "β' ↿ C⇘𝒱⇙ = β ↿ C⇘𝒱⇙"
proof -
have "V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙ = C⇘𝒱⇙ ∪ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by auto
with β'_VC_is_β_VC have "β' ↿ (C⇘𝒱⇙ ∪ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)) = β ↿ (C⇘𝒱⇙ ∪ (V⇘𝒱⇙ ∪ N⇘𝒱⇙))"
by auto
thus ?thesis
by (rule projection_subset_eq_from_superset_eq)
qed
with α'_no_c α_no_c have "(β' @ α') ↿ C⇘𝒱⇙ = (β @ α) ↿ C⇘𝒱⇙"
by (simp add: projection_def)
with βα_contains_n_cs show ?thesis
by auto
qed
with Suc.hyps β'α'_in_Tr obtain τ'
where "τ' ∈ Tr⇘ES⇙"
and "τ' ↿ C⇘𝒱⇙ = []"
and "τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = (β' @ α') ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by auto
ultimately show ?case
by auto
qed
}
hence "τ ∈ Tr⇘ES⇙ ⟹ ∃τ'. τ'∈Tr⇘ES⇙ ∧ τ' ↿ C⇘𝒱⇙ = [] ∧ τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by auto
from this τ_trace obtain τ' where
τ'_trace : "τ'∈Tr⇘ES⇙"
and τ'_no_C : "τ' ↿ C⇘𝒱⇙ = []"
and τ'_τ_rel : "τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by auto
from τ'_no_C have "τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙) = τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (auto simp add: projection_on_union)
with VIsViewOnE have τ'_E_eq_VN: "τ' ↿ E⇘ES⇙ = τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (auto simp add: isViewOn_def)
from validES τ'_trace have "(set τ') ⊆ E⇘ES⇙"
by (auto simp add: ES_valid_def traces_contain_events_def)
hence "τ' ↿ E⇘ES⇙ = τ'" by (simp add: list_subset_iff_projection_neutral)
with τ'_E_eq_VN have "τ' = τ' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)" by auto
with τ'_τ_rel have "τ' = τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)" by auto
with τ'_trace show "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ Tr⇘ES⇙" by auto
qed
lemma D_implies_R:
"D 𝒱 Tr⇘ES⇙ ⟹ R 𝒱 Tr⇘ES⇙"
proof -
assume D: "D 𝒱 Tr⇘ES⇙"
{
fix τ n
have R_via_length: " ⟦ τ ∈ Tr⇘ES⇙; n = length (τ ↿ C⇘𝒱⇙) ⟧
⟹ ∃τ' ∈ Tr⇘ES⇙. τ' ↿ C⇘𝒱⇙ = [] ∧ τ' ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙"
proof (induct n arbitrary: τ)
case 0
note τ_in_Tr = ‹τ ∈ Tr⇘ES⇙›
and ‹0 = length (τ ↿ C⇘𝒱⇙)›
hence "τ ↿ C⇘𝒱⇙ = []"
by simp
with τ_in_Tr show ?case
by auto
next
case (Suc n)
from projection_split_last[OF Suc(3)] obtain β c α
where c_in_C: "c ∈ C⇘𝒱⇙"
and τ_is_βcα: "τ = β @ [c] @ α"
and α_no_c: "α ↿ C⇘𝒱⇙ = []"
and βα_contains_n_cs: "n = length ((β @ α) ↿ C⇘𝒱⇙)"
by auto
with Suc(2) have βcα_in_Tr: "β @ [c] @ α ∈ Tr⇘ES⇙"
by auto
with D c_in_C βcα_in_Tr α_no_c obtain β' α'
where β'α'_in_Tr: "(β' @ α') ∈ Tr⇘ES⇙"
and α'_V_is_α_V: "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and α'_no_c: "α' ↿ C⇘𝒱⇙ = []"
and β'_VC_is_β_VC: "β' ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙)"
unfolding D_def
by blast
have "(β' @ α') ↿ V⇘𝒱⇙ = τ ↿ V⇘𝒱⇙"
proof -
from β'_VC_is_β_VC have "β' ↿ V⇘𝒱⇙ = β ↿ V⇘𝒱⇙"
by (rule projection_subset_eq_from_superset_eq)
with α'_V_is_α_V have "(β' @ α') ↿ V⇘𝒱⇙ = (β @ α) ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
with VIsViewOnE c_in_C have "c ∉ V⇘𝒱⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def, auto)
hence "(β @ α) ↿ V⇘𝒱⇙ = (β @ [c] @ α) ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover note τ_is_βcα
ultimately show ?thesis
by auto
qed
moreover
have "n = length ((β' @ α') ↿ C⇘𝒱⇙)"
proof -
have "β' ↿ C⇘𝒱⇙ = β ↿ C⇘𝒱⇙"
proof -
have "V⇘𝒱⇙ ∪ C⇘𝒱⇙ = C⇘𝒱⇙ ∪ V⇘𝒱⇙"
by auto
with β'_VC_is_β_VC have "β' ↿ (C⇘𝒱⇙ ∪ V⇘𝒱⇙) = β ↿ (C⇘𝒱⇙ ∪ V⇘𝒱⇙)"
by auto
thus ?thesis
by (rule projection_subset_eq_from_superset_eq)
qed
with α'_no_c α_no_c have "(β' @ α') ↿ C⇘𝒱⇙ = (β @ α) ↿ C⇘𝒱⇙"
by (simp add: projection_def)
with βα_contains_n_cs show ?thesis
by auto
qed
with Suc.hyps β'α'_in_Tr obtain τ'
where "τ' ∈ Tr⇘ES⇙"
and "τ' ↿ C⇘𝒱⇙ = []"
and "τ' ↿ V⇘𝒱⇙ = (β' @ α') ↿ V⇘𝒱⇙"
by auto
ultimately show ?case
by auto
qed
}
thus ?thesis
by (simp add: R_def)
qed
lemma SR_implies_R_for_modified_view :
"⟦SR 𝒱 Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈⟧ ⟹ R 𝒱' Tr⇘ES⇙"
proof -
assume "SR 𝒱 Tr⇘ES⇙"
and "𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈"
{
from ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈› VIsViewOnE
have V'IsViewOnE: "isViewOn 𝒱' E⇘ES⇙ "
unfolding isViewOn_def V_valid_def VC_disjoint_def NC_disjoint_def VN_disjoint_def by auto
fix τ
assume "τ ∈ Tr⇘ES⇙"
with ‹SR 𝒱 Tr⇘ES⇙› have "τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ Tr⇘ES⇙"
unfolding SR_def by auto
let ?τ'="τ ↿V⇘𝒱'⇙"
from ‹τ ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∈ Tr⇘ES⇙› have "?τ' ∈ Tr⇘ES⇙"
using ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈› by simp
moreover
from V'IsViewOnE have "?τ'↿C⇘𝒱'⇙=[]"
using disjoint_projection
unfolding isViewOn_def V_valid_def VC_disjoint_def by auto
moreover
have "?τ'↿V⇘𝒱'⇙ = τ↿V⇘𝒱'⇙"
by (simp add: projection_subset_elim)
ultimately
have "∃τ'∈Tr⇘ES⇙. τ' ↿ C⇘𝒱'⇙ = [] ∧ τ' ↿ V⇘𝒱'⇙ = τ ↿ V⇘𝒱'⇙"
by auto
}
with ‹SR 𝒱 Tr⇘ES⇙› show ?thesis
unfolding R_def using ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈› by auto
qed
lemma R_implies_SR_for_modified_view :
"⟦R 𝒱' Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈⟧ ⟹ SR 𝒱 Tr⇘ES⇙"
proof -
assume "R 𝒱' Tr⇘ES⇙"
and "𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈"
{
fix τ
assume "τ ∈ Tr⇘ES⇙"
from ‹R 𝒱' Tr⇘ES⇙› ‹τ ∈ Tr⇘ES⇙› obtain τ' where "τ' ∈ Tr⇘ES⇙"
and "τ' ↿ C⇘𝒱'⇙ = []"
and "τ' ↿ V⇘𝒱'⇙ = τ ↿ V⇘𝒱'⇙"
unfolding R_def by auto
from VIsViewOnE ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈› have "isViewOn 𝒱' E⇘ES⇙"
unfolding isViewOn_def V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
by auto
from ‹τ' ↿ V⇘𝒱'⇙ = τ ↿ V⇘𝒱'⇙› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "τ' ↿ (V⇘𝒱'⇙ ∪ N⇘𝒱'⇙) = τ ↿ (V⇘𝒱'⇙ ∪ N⇘𝒱'⇙)"
by simp
from ‹τ' ↿ C⇘𝒱'⇙ = []› have "τ' =τ' ↿ (V⇘𝒱'⇙ ∪ N⇘𝒱'⇙)"
using validES ‹τ' ∈ Tr⇘ES⇙› ‹isViewOn 𝒱' E⇘ES⇙›
unfolding projection_def ES_valid_def isViewOn_def traces_contain_events_def
by (metis UnE filter_True filter_empty_conv)
hence "τ' =τ ↿ (V⇘𝒱'⇙ ∪ N⇘𝒱'⇙)"
using ‹τ' ↿ (V⇘𝒱'⇙ ∪ N⇘𝒱'⇙) = τ ↿ (V⇘𝒱'⇙ ∪ N⇘𝒱'⇙)›
by simp
with ‹τ' ∈ Tr⇘ES⇙› have "τ ↿ (V⇘𝒱'⇙ ∪ N⇘𝒱'⇙) ∈ Tr⇘ES⇙"
by auto
}
thus ?thesis
unfolding SR_def using ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
by simp
qed
lemma SD_implies_BSD_for_modified_view :
"⟦SD 𝒱 Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈⟧ ⟹ BSD 𝒱' Tr⇘ES⇙"
proof -
assume "SD 𝒱 Tr⇘ES⇙"
and "𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈"
{
fix α β c
assume "c ∈ C⇘𝒱'⇙"
and "β @ [c] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱'⇙ = []"
from ‹c ∈ C⇘𝒱'⇙› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "c ∈ C⇘𝒱⇙"
by auto
from ‹α↿C⇘𝒱'⇙ = []› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "α↿C⇘𝒱⇙ = []"
by auto
from ‹c ∈ C⇘𝒱⇙› ‹β @ [c] @ α ∈ Tr⇘ES⇙› ‹α↿C⇘𝒱⇙ = []›
have "β @ α ∈ Tr⇘ES⇙" using ‹SD 𝒱 Tr⇘ES⇙›
unfolding SD_def by auto
hence "∃α'. β @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱'⇙ = α ↿ V⇘𝒱'⇙ ∧ α' ↿ C⇘𝒱'⇙ = [] "
using ‹α ↿ C⇘𝒱'⇙ = []› by blast
}
with ‹SD 𝒱 Tr⇘ES⇙› show ?thesis
unfolding BSD_def using ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈› by auto
qed
lemma BSD_implies_SD_for_modified_view :
"⟦BSD 𝒱' Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈⟧ ⟹ SD 𝒱 Tr⇘ES⇙"
unfolding SD_def
proof(clarsimp)
fix α β c
assume BSD_view' : "BSD ⦇V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N = {} , C = C⇘𝒱⇙⦈ Tr⇘ES⇙"
assume alpha_no_C_view : "α ↿ C⇘𝒱⇙ = []"
assume c_C_view : "c ∈ C⇘𝒱⇙"
assume beta_c_alpha_is_trace : "β @ c # α ∈ Tr⇘ES⇙"
from BSD_view' alpha_no_C_view c_C_view beta_c_alpha_is_trace
obtain α'
where beta_alpha'_is_trace: "β @ α'∈(Tr⇘ES⇙)"
and alpha_alpha': "α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
and alpha'_no_C_view : "α' ↿ C⇘𝒱⇙ = []"
by (auto simp add: BSD_def)
from beta_c_alpha_is_trace validES
have alpha_consists_of_events: "set α ⊆ E⇘ES⇙"
by (auto simp add: ES_valid_def traces_contain_events_def)
from alpha_no_C_view have "α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙) = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (rule projection_on_union)
with VIsViewOnE have alpha_on_ES : "α ↿ E⇘ES⇙ = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
unfolding isViewOn_def by simp
from alpha_consists_of_events VIsViewOnE have "α ↿ E⇘ES⇙ = α"
by (simp add: list_subset_iff_projection_neutral)
with alpha_on_ES have α_eq: "α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α" by auto
from beta_alpha'_is_trace validES
have alpha'_consists_of_events: "set α' ⊆ E⇘ES⇙"
by (auto simp add: ES_valid_def traces_contain_events_def)
from alpha'_no_C_view have "α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙) = α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (rule projection_on_union)
with VIsViewOnE have alpha'_on_ES : "α' ↿ E⇘ES⇙ = α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
unfolding isViewOn_def by (simp)
from alpha'_consists_of_events VIsViewOnE have "α' ↿ E⇘ES⇙ = α'"
by (simp add: list_subset_iff_projection_neutral)
with alpha'_on_ES have α'_eq: "α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α'" by auto
from alpha_alpha' α_eq α'_eq have "α = α'" by auto
with beta_alpha'_is_trace show "β @ α ∈ Tr⇘ES⇙" by auto
qed
lemma SD_implies_FCD:
"(SD 𝒱 Tr⇘ES⇙) ⟹ FCD Γ 𝒱 Tr⇘ES⇙"
proof -
assume SD: "SD 𝒱 Tr⇘ES⇙"
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and alpha_C_empty: "α ↿ C⇘𝒱⇙ = []"
and "β @ [c, v] @ α ∈ Tr⇘ES⇙"
moreover
with VIsViewOnE have "(v # α) ↿ C⇘𝒱⇙ = []"
unfolding isViewOn_def V_valid_def VC_disjoint_def projection_def by auto
ultimately
have "β @ (v # α) ∈ Tr⇘ES⇙"
using SD unfolding SD_def by auto
with alpha_C_empty
have "∃α'. ∃δ'. (set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ δ' @ [v] @ α') ∈ Tr⇘ES⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by (metis append.simps(1) append.simps(2) bot_least list.set(1))
}
thus ?thesis
unfolding SD_def FCD_def by auto
qed
lemma SI_implies_BSI :
"(SI 𝒱 Tr⇘ES⇙) ⟹ BSI 𝒱 Tr⇘ES⇙ "
proof -
assume SI: "SI 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C_empty: "α ↿ C⇘𝒱⇙ = []"
with SI have "β @ c # α ∈ Tr⇘ES⇙"
unfolding SI_def by auto
hence "∃α'. β @ c # α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
using alpha_C_empty by auto
}
thus ?thesis
unfolding SI_def BSI_def by auto
qed
lemma BSI_implies_I:
"(BSI 𝒱 Tr⇘ES⇙) ⟹ (I 𝒱 Tr⇘ES⇙)"
proof -
assume BSI: "BSI 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α ↿ C⇘𝒱⇙ = []"
with BSI obtain α'
where "β @ [c] @ α' ∈ Tr⇘ES⇙"
and "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and "α' ↿ C⇘𝒱⇙ = []"
unfolding BSI_def
by blast
hence
"(∃α' β'. (β' @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []) ∧
β' ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙))"
by auto
}
thus ?thesis unfolding BSI_def I_def
by auto
qed
lemma SIA_implies_BSIA:
"(SIA ρ 𝒱 Tr⇘ES⇙) ⟹ (BSIA ρ 𝒱 Tr⇘ES⇙)"
proof -
assume SIA: "SIA ρ 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C_empty: "α ↿ C⇘𝒱⇙ = []"
and "(Adm 𝒱 ρ Tr⇘ES⇙ β c)"
with SIA obtain "β @ c # α ∈ Tr⇘ES⇙"
unfolding SIA_def by auto
hence "∃ α'. β @ c # α' ∈ Tr⇘ES⇙ ∧ α'↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
using alpha_C_empty by auto
}
thus ?thesis
unfolding SIA_def BSIA_def by auto
qed
lemma BSIA_implies_IA:
"(BSIA ρ 𝒱 Tr⇘ES⇙) ⟹ (IA ρ 𝒱 Tr⇘ES⇙)"
proof -
assume BSIA: "BSIA ρ 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α ↿ C⇘𝒱⇙ = []"
and "(Adm 𝒱 ρ Tr⇘ES⇙ β c)"
with BSIA obtain α'
where "β @ [c] @ α' ∈ Tr⇘ES⇙"
and "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and "α' ↿ C⇘𝒱⇙ = []"
unfolding BSIA_def
by blast
hence "(∃α' β'.
(β' @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []) ∧
β' ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β ↿ (V⇘𝒱⇙ ∪ C⇘𝒱⇙))"
by auto
}
thus ?thesis
unfolding BSIA_def IA_def by auto
qed
lemma SI_implies_SIA:
"SI 𝒱 Tr⇘ES⇙ ⟹ SIA ρ 𝒱 Tr⇘ES⇙"
proof -
assume SI: "SI 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α ↿ C⇘𝒱⇙ = []"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
with SI have "β @ (c # α) ∈ Tr⇘ES⇙"
unfolding SI_def by auto
}
thus ?thesis unfolding SI_def SIA_def by auto
qed
lemma BSI_implies_BSIA:
"BSI 𝒱 Tr⇘ES⇙ ⟹ BSIA ρ 𝒱 Tr⇘ES⇙"
proof -
assume BSI: "BSI 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α ↿ C⇘𝒱⇙ = []"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
with BSI have "∃ α'. β @ (c # α') ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
unfolding BSI_def by auto
}
thus ?thesis
unfolding BSI_def BSIA_def by auto
qed
lemma I_implies_IA:
"I 𝒱 Tr⇘ES⇙ ⟹ IA ρ 𝒱 Tr⇘ES⇙"
proof -
assume I: "I 𝒱 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α ↿ C⇘𝒱⇙ = []"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
with I have "∃ α' β'. β' @ (c # α') ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙
∧ α' ↿ C⇘𝒱⇙ = [] ∧ β' ↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β ↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) "
unfolding I_def by auto
}
thus ?thesis
unfolding I_def IA_def by auto
qed
lemma SI_implies_BSI_for_modified_view :
"⟦SI 𝒱 Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈⟧ ⟹ BSI 𝒱' Tr⇘ES⇙"
proof -
assume "SI 𝒱 Tr⇘ES⇙"
and "𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈"
{
fix α β c
assume "c ∈ C⇘𝒱'⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱'⇙ = []"
from ‹c ∈ C⇘𝒱'⇙› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "c ∈ C⇘𝒱⇙"
by auto
from ‹α↿C⇘𝒱'⇙ = []› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "α↿C⇘𝒱⇙ = []"
by auto
from ‹c ∈ C⇘𝒱⇙› ‹β @ α ∈ Tr⇘ES⇙› ‹α↿C⇘𝒱⇙ = []›
have "β @ [c] @ α ∈ Tr⇘ES⇙"
using ‹SI 𝒱 Tr⇘ES⇙› unfolding SI_def by auto
hence "∃α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱'⇙ = α ↿ V⇘𝒱'⇙ ∧ α' ↿ C⇘𝒱'⇙ = [] "
using ‹α ↿ C⇘𝒱'⇙ = []›
by blast
}
with ‹SI 𝒱 Tr⇘ES⇙› show ?thesis
unfolding BSI_def using ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈› by auto
qed
lemma BSI_implies_SI_for_modified_view :
"⟦BSI 𝒱' Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N = {} , C = C⇘𝒱⇙ ⦈⟧ ⟹ SI 𝒱 Tr⇘ES⇙"
unfolding SI_def
proof (clarsimp)
fix α β c
assume BSI_view' : "BSI ⦇V = V⇘𝒱⇙ ∪ N⇘𝒱⇙, N = {}, C = C⇘𝒱⇙⦈ Tr⇘ES⇙"
assume alpha_no_C_view : "α ↿ C⇘𝒱⇙ = []"
assume c_C_view : "c ∈ C⇘𝒱⇙"
assume beta_alpha_is_trace : "β @ α ∈ Tr⇘ES⇙"
from BSI_view' have "∀c∈C⇘𝒱⇙. β @ α ∈ Tr⇘ES⇙ ∧ α ↿ C⇘𝒱⇙ = []
⟶ (∃α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∧ α' ↿ C⇘𝒱⇙ = [])"
by (auto simp add: BSI_def)
with beta_alpha_is_trace alpha_no_C_view have "∀c∈C⇘𝒱⇙.
(∃α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) ∧ α' ↿ C⇘𝒱⇙ = [])"
by auto
with this BSI_view' c_C_view obtain α'
where beta_c_alpha'_is_trace: "β @ [c] @ α' ∈ Tr⇘ES⇙"
and alpha_alpha': "α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
and alpha'_no_C_view : "α' ↿ C⇘𝒱⇙ = []"
by auto
from beta_alpha_is_trace validES
have alpha_consists_of_events: "set α ⊆ E⇘ES⇙"
by (auto simp add: ES_valid_def traces_contain_events_def)
from alpha_no_C_view have "α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙) = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (rule projection_on_union)
with VIsViewOnE have alpha_on_ES : "α ↿ E⇘ES⇙ = α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
unfolding isViewOn_def by (simp)
from alpha_consists_of_events VIsViewOnE have "α ↿ E⇘ES⇙ = α"
by (simp add: list_subset_iff_projection_neutral)
with alpha_on_ES have α_eq: "α ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α" by auto
from beta_c_alpha'_is_trace validES
have alpha'_consists_of_events: "set α' ⊆ E⇘ES⇙"
by (auto simp add: ES_valid_def traces_contain_events_def)
from alpha'_no_C_view have "α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙) = α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
by (rule projection_on_union)
with VIsViewOnE have alpha'_on_ES : "α' ↿ E⇘ES⇙ = α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙)"
unfolding isViewOn_def by (simp)
from alpha'_consists_of_events VIsViewOnE have "α' ↿ E⇘ES⇙ = α'"
by (simp add: list_subset_iff_projection_neutral)
with alpha'_on_ES have α'_eq: "α' ↿ (V⇘𝒱⇙ ∪ N⇘𝒱⇙) = α'" by auto
from alpha_alpha' α_eq α'_eq have "α = α'" by auto
with beta_c_alpha'_is_trace show "β @ c # α ∈ Tr⇘ES⇙" by auto
qed
lemma SIA_implies_BSIA_for_modified_view :
"⟦SIA ρ 𝒱 Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈ ; ρ 𝒱 = ρ' 𝒱'⟧ ⟹ BSIA ρ' 𝒱' Tr⇘ES⇙"
proof -
assume "SIA ρ 𝒱 Tr⇘ES⇙"
and "𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈"
and "ρ 𝒱 = ρ' 𝒱'"
{
fix α β c
assume "c ∈ C⇘𝒱'⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱'⇙ = []"
and "Adm 𝒱' ρ' Tr⇘ES⇙ β c"
from ‹c ∈ C⇘𝒱'⇙› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "c ∈ C⇘𝒱⇙"
by auto
from ‹α↿C⇘𝒱'⇙ = []› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "α↿C⇘𝒱⇙ = []"
by auto
from ‹Adm 𝒱' ρ' Tr⇘ES⇙ β c› ‹ρ 𝒱 = ρ' 𝒱'›
have "Adm 𝒱 ρ Tr⇘ES⇙ β c"
by (simp add: Adm_def)
from ‹c ∈ C⇘𝒱⇙› ‹β @ α ∈ Tr⇘ES⇙› ‹α↿C⇘𝒱⇙ = []› ‹Adm 𝒱 ρ Tr⇘ES⇙ β c›
have "β @ [c] @ α ∈ Tr⇘ES⇙"
using ‹SIA ρ 𝒱 Tr⇘ES⇙› unfolding SIA_def by auto
hence "∃α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱'⇙ = α ↿ V⇘𝒱'⇙ ∧ α' ↿ C⇘𝒱'⇙ = [] "
using ‹α ↿ C⇘𝒱'⇙ = []› by blast
}
with ‹SIA ρ 𝒱 Tr⇘ES⇙› show ?thesis
unfolding BSIA_def using ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
by auto
qed
lemma BSIA_implies_SIA_for_modified_view :
"⟦BSIA ρ' 𝒱' Tr⇘ES⇙; 𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N = {} , C = C⇘𝒱⇙ ⦈; ρ 𝒱 = ρ' 𝒱'⟧ ⟹ SIA ρ 𝒱 Tr⇘ES⇙"
proof -
assume "BSIA ρ' 𝒱' Tr⇘ES⇙"
and "𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N = {} , C = C⇘𝒱⇙ ⦈"
and "ρ 𝒱 = ρ' 𝒱'"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙ = []"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
from ‹c ∈ C⇘𝒱⇙› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "c ∈ C⇘𝒱'⇙"
by auto
from ‹α↿C⇘𝒱⇙ = []› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈›
have "α↿C⇘𝒱'⇙ = []"
by auto
from ‹Adm 𝒱 ρ Tr⇘ES⇙ β c› ‹ρ 𝒱 = ρ' 𝒱'›
have "Adm 𝒱' ρ' Tr⇘ES⇙ β c"
by (simp add: Adm_def)
from ‹c ∈ C⇘𝒱'⇙› ‹β @ α ∈ Tr⇘ES⇙› ‹α↿C⇘𝒱'⇙ = []› ‹Adm 𝒱' ρ' Tr⇘ES⇙ β c›
obtain α' where "β @ [c] @ α' ∈ Tr⇘ES⇙"
and " α' ↿ V⇘𝒱'⇙ = α ↿ V⇘𝒱'⇙"
and " α' ↿ C⇘𝒱'⇙ = []"
using ‹BSIA ρ' 𝒱' Tr⇘ES⇙› unfolding BSIA_def by blast
from ‹β @ α ∈ Tr⇘ES⇙› validES
have alpha_consists_of_events: "set α ⊆ E⇘ES⇙"
by (auto simp add: ES_valid_def traces_contain_events_def)
from ‹β @ [c] @ α' ∈ Tr⇘ES⇙› validES
have alpha'_consists_of_events: "set α' ⊆ E⇘ES⇙"
by (auto simp add: ES_valid_def traces_contain_events_def)
from ‹α' ↿ V⇘𝒱'⇙ = α ↿ V⇘𝒱'⇙› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N = {} , C = C⇘𝒱⇙ ⦈›
have "α'↿(V⇘𝒱⇙ ∪ N⇘𝒱⇙)=α↿(V⇘𝒱⇙ ∪ N⇘𝒱⇙)" by auto
with ‹α' ↿ C⇘𝒱'⇙ = []› ‹α↿C⇘𝒱⇙ = []› ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N = {} , C = C⇘𝒱⇙ ⦈›
have "α'↿(V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙)=α↿(V⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ C⇘𝒱⇙)"
by (simp add: projection_on_union)
with VIsViewOnE alpha_consists_of_events alpha'_consists_of_events
have "α'=α" unfolding isViewOn_def
by (simp add: list_subset_iff_projection_neutral)
hence "β @ [c] @ α ∈ Tr⇘ES⇙ "
using ‹β @ [c] @ α' ∈ Tr⇘ES⇙› by blast
}
with ‹BSIA ρ' 𝒱' Tr⇘ES⇙› show ?thesis
unfolding SIA_def using ‹𝒱' = ⦇ V = V⇘𝒱⇙ ∪ N⇘𝒱⇙ , N ={} , C = C⇘𝒱⇙ ⦈› by auto
qed
end
lemma Adm_implies_Adm_for_modified_rho:
"⟦ Adm 𝒱⇩2 ρ⇩2 Tr α e;ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1)⟧ ⟹ Adm 𝒱⇩1 ρ⇩1 Tr α e "
proof -
assume "Adm 𝒱⇩2 ρ⇩2 Tr α e"
and "ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1)"
then obtain γ
where "γ @ [e] ∈ Tr"
and "γ ↿ ρ⇩2 𝒱⇩2 = α ↿ ρ⇩2 𝒱⇩2"
unfolding Adm_def by auto
thus "Adm 𝒱⇩1 ρ⇩1 Tr α e"
unfolding Adm_def
using ‹ρ⇩1 𝒱⇩1 ⊆ ρ⇩2 𝒱⇩2› non_empty_projection_on_subset
by blast
qed
context BSPTaxonomyDifferentCorrections
begin
lemma SI_implies_FCI:
"(SI 𝒱 Tr⇘ES⇙) ⟹ FCI Γ 𝒱 Tr⇘ES⇙"
proof -
assume SI: "SI 𝒱 Tr⇘ES⇙"
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [v] @ α ∈ Tr⇘ES⇙"
and alpha_C_empty: "α ↿ C⇘𝒱⇙ = []"
moreover
with VIsViewOnE have "(v # α) ↿ C⇘𝒱⇙ = []"
unfolding isViewOn_def V_valid_def VC_disjoint_def projection_def by auto
ultimately
have "β @ [c , v] @ α ∈ Tr⇘ES⇙" using SI unfolding SI_def by auto
with alpha_C_empty
have "∃α'. ∃δ'.
(set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ [c] @ δ' @ [v] @ α') ∈ Tr⇘ES⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by (metis append.simps(1) append.simps(2) bot_least list.set(1))
}
thus ?thesis
unfolding SI_def FCI_def by auto
qed
lemma SIA_implies_FCIA:
"(SIA ρ 𝒱 Tr⇘ES⇙) ⟹ FCIA ρ Γ 𝒱 Tr⇘ES⇙"
proof -
assume SIA: "SIA ρ 𝒱 Tr⇘ES⇙"
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [v] @ α ∈ Tr⇘ES⇙"
and alpha_C_empty: "α ↿ C⇘𝒱⇙ = []"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
moreover
with VIsViewOnE have "(v # α) ↿ C⇘𝒱⇙ = []"
unfolding isViewOn_def V_valid_def VC_disjoint_def projection_def by auto
ultimately
have "β @ [c , v] @ α ∈ Tr⇘ES⇙" using SIA unfolding SIA_def by auto
with alpha_C_empty
have "∃α'. ∃δ'.
(set δ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ((β @ [c] @ δ' @ [v] @ α') ∈ Tr⇘ES⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by (metis append.simps(1) append.simps(2) bot_least list.set(1))
}
thus ?thesis
unfolding SIA_def FCIA_def by auto
qed
lemma FCI_implies_FCIA:
"(FCI Γ 𝒱 Tr⇘ES⇙) ⟹ FCIA ρ Γ 𝒱 Tr⇘ES⇙"
proof-
assume FCI: "FCI Γ 𝒱 Tr⇘ES⇙"
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [v] @ α ∈ Tr⇘ES⇙"
and "α ↿ C⇘𝒱⇙ = []"
with FCI have "∃α' δ'. set δ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙ ∧
β @ [c] @ δ' @ [v] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
unfolding FCI_def by auto
}
thus ?thesis
unfolding FCI_def FCIA_def by auto
qed
lemma Trivially_fulfilled_SR_C_empty:
"C⇘𝒱⇙ = {} ⟹ SR 𝒱 Tr⇘ES⇙"
proof -
assume "C⇘𝒱⇙={}"
{
fix τ
assume "τ ∈ Tr⇘ES⇙"
hence "τ=τ↿E⇘ES⇙" using validES
unfolding ES_valid_def traces_contain_events_def projection_def by auto
with ‹C⇘𝒱⇙={}› have "τ=τ↿(V⇘𝒱⇙∪N⇘𝒱⇙)"
using VIsViewOnE unfolding isViewOn_def by auto
with ‹τ ∈ Tr⇘ES⇙› have "τ↿(V⇘𝒱⇙∪N⇘𝒱⇙) ∈ Tr⇘ES⇙"
by auto
}
thus ?thesis
unfolding SR_def by auto
qed
lemma Trivially_fulfilled_R_C_empty:
"C⇘𝒱⇙ = {} ⟹ R 𝒱 Tr⇘ES⇙"
proof -
assume "C⇘𝒱⇙={}"
{
fix τ
assume "τ ∈ Tr⇘ES⇙"
hence "τ=τ↿E⇘ES⇙" using validES
unfolding ES_valid_def traces_contain_events_def projection_def by auto
with ‹C⇘𝒱⇙={}› have "τ=τ↿(V⇘𝒱⇙∪N⇘𝒱⇙)"
using VIsViewOnE unfolding isViewOn_def by auto
with ‹τ ∈ Tr⇘ES⇙› ‹C⇘𝒱⇙={}› have "∃τ' ∈ Tr⇘ES⇙. τ↿C⇘𝒱⇙=[] ∧ τ' ↿V⇘𝒱⇙=τ↿V⇘𝒱⇙"
unfolding projection_def by auto
}
thus ?thesis
unfolding R_def by auto
qed
lemma Trivially_fulfilled_SD_C_empty:
"C⇘𝒱⇙ = {} ⟹ SD 𝒱 Tr⇘ES⇙"
by (simp add: SD_def)
lemma Trivially_fulfilled_BSD_C_empty:
"C⇘𝒱⇙ = {} ⟹ BSD 𝒱 Tr⇘ES⇙"
by (simp add: BSD_def)
lemma Trivially_fulfilled_D_C_empty:
"C⇘𝒱⇙ = {} ⟹ D 𝒱 Tr⇘ES⇙"
by (simp add: D_def)
lemma Trivially_fulfilled_FCD_C_empty:
"C⇘𝒱⇙ = {} ⟹ FCD Γ 𝒱 Tr⇘ES⇙"
by (simp add: FCD_def)
lemma Trivially_fullfilled_R_V_empty:
"V⇘𝒱⇙={} ⟹ R 𝒱 Tr⇘ES⇙"
proof -
assume "V⇘𝒱⇙={}"
{
fix τ
assume "τ ∈ Tr⇘ES⇙"
let ?τ'="[]"
from ‹τ ∈ Tr⇘ES⇙›have "?τ' ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
with ‹V⇘𝒱⇙={}›
have "∃τ' ∈ Tr⇘ES⇙. τ'↿C⇘𝒱⇙=[] ∧ τ'↿V⇘𝒱⇙=τ↿V⇘𝒱⇙"
by (metis projection_on_empty_trace projection_to_emptyset_is_empty_trace)
}
thus ?thesis
unfolding R_def by auto
qed
lemma Trivially_fulfilled_BSD_V_empty:
"V⇘𝒱⇙ = {} ⟹ BSD 𝒱 Tr⇘ES⇙"
proof -
assume "V⇘𝒱⇙={}"
{
fix α β c
assume "β @ [c] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙= []"
from ‹β @ [c] @ α ∈ Tr⇘ES⇙› have "β ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
let ?α'="[]"
from ‹β ∈ Tr⇘ES⇙› ‹V⇘𝒱⇙={}›
have "β@ ?α'∈Tr⇘ES⇙ ∧ ?α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ ?α'↿C⇘𝒱⇙ = []"
by (simp add: projection_on_empty_trace projection_to_emptyset_is_empty_trace)
hence
"∃α'.
β @ α'∈Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []" by blast
}
thus ?thesis
unfolding BSD_def by auto
qed
lemma Trivially_fulfilled_D_V_empty:
"V⇘𝒱⇙ = {} ⟹ D 𝒱 Tr⇘ES⇙"
proof -
assume "V⇘𝒱⇙={}"
{
fix α β c
assume "β @ [c] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙= []"
from ‹β @ [c] @ α ∈ Tr⇘ES⇙› have "β ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
let ?β'=β and ?α'="[]"
from ‹β ∈ Tr⇘ES⇙› ‹V⇘𝒱⇙={}›
have "?β'@ ?α'∈Tr⇘ES⇙ ∧ ?α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ ?α'↿C⇘𝒱⇙ = [] ∧ ?β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙)"
by (simp add: projection_on_empty_trace projection_to_emptyset_is_empty_trace)
hence
"∃α' β'.
β'@ α'∈Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = [] ∧ β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙)"
by blast
}
thus ?thesis
unfolding D_def by auto
qed
lemma Trivially_fulfilled_FCD_V_empty:
"V⇘𝒱⇙ = {} ⟹ FCD Γ 𝒱 Tr⇘ES⇙"
by (simp add: FCD_def)
lemma Trivially_fulfilled_FCD_Nabla_Υ_empty:
"⟦∇⇘Γ⇙={} ∨ Υ⇘Γ⇙={}⟧⟹ FCD Γ 𝒱 Tr⇘ES⇙"
proof -
assume "∇⇘Γ⇙={} ∨ Υ⇘Γ⇙={}"
thus ?thesis
proof(rule disjE)
assume "∇⇘Γ⇙={}" thus ?thesis
by (simp add: FCD_def)
next
assume " Υ⇘Γ⇙={}" thus ?thesis
by (simp add: FCD_def)
qed
qed
lemma Trivially_fulfilled_FCD_N_subseteq_Δ_and_BSD:
"⟦N⇘𝒱⇙ ⊆ Δ⇘Γ⇙; BSD 𝒱 Tr⇘ES⇙⟧ ⟹ FCD Γ 𝒱 Tr⇘ES⇙"
proof -
assume "N⇘𝒱⇙ ⊆ Δ⇘Γ⇙"
and "BSD 𝒱 Tr⇘ES⇙"
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [c,v] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙ = []"
from ‹c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙› have "c ∈ C⇘𝒱⇙"
by auto
from ‹v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙› have "v ∈ V⇘𝒱⇙"
by auto
let ?α="[v] @ α"
from ‹v ∈ V⇘𝒱⇙› ‹α↿C⇘𝒱⇙ = []› have "?α↿C⇘𝒱⇙=[]"
using VIsViewOnE
unfolding isViewOn_def V_valid_def VC_disjoint_def projection_def by auto
from ‹β @ [c,v] @ α ∈ Tr⇘ES⇙› have "β @ [c] @ ?α ∈ Tr⇘ES⇙"
by auto
from ‹BSD 𝒱 Tr⇘ES⇙›
obtain α'
where "β @ α' ∈ Tr⇘ES⇙"
and "α'↿V⇘𝒱⇙ = ([v] @ α)↿V⇘𝒱⇙"
and "α'↿C⇘𝒱⇙ = []"
using ‹c ∈ C⇘𝒱⇙› ‹β @ [c] @ ?α ∈ Tr⇘ES⇙› ‹?α↿C⇘𝒱⇙ = []›
unfolding BSD_def by auto
from‹v ∈ V⇘𝒱⇙› ‹α'↿V⇘𝒱⇙ = ([v] @ α)↿V⇘𝒱⇙› have "α'↿V⇘𝒱⇙ = [v] @ α↿V⇘𝒱⇙"
by (simp add: projection_def)
then obtain δ α''
where "α'=δ @ [v] @ α''"
and "δ↿V⇘𝒱⇙ = []"
and "α''↿V⇘𝒱⇙ = α↿V⇘𝒱⇙"
using projection_split_first_with_suffix by fastforce
from ‹α'↿C⇘𝒱⇙ = []› ‹α'=δ @ [v] @ α''› have "δ↿C⇘𝒱⇙=[]"
by (metis append_is_Nil_conv projection_concatenation_commute)
from ‹α'↿C⇘𝒱⇙ = []› ‹α'=δ @ [v] @ α''› have "α''↿C⇘𝒱⇙=[]"
by (metis append_is_Nil_conv projection_concatenation_commute)
from ‹β @ α' ∈ Tr⇘ES⇙› have "set α' ⊆ E⇘ES⇙" using validES
unfolding ES_valid_def traces_contain_events_def by auto
with ‹α'=δ @ [v] @ α''› have "set δ ⊆ E⇘ES⇙"
by auto
with ‹δ↿C⇘𝒱⇙=[]› ‹δ↿V⇘𝒱⇙ = []› ‹N⇘𝒱⇙ ⊆ Δ⇘Γ⇙›
have "(set δ) ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)"
using VIsViewOnE projection_empty_implies_absence_of_events
unfolding isViewOn_def projection_def by blast
let ?β=β and ?δ'=δ and ?α'=α''
from ‹(set δ) ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)› ‹β @ α' ∈ Tr⇘ES⇙› ‹α'=δ @ [v] @ α''›
‹α''↿V⇘𝒱⇙ = α↿V⇘𝒱⇙› ‹α''↿C⇘𝒱⇙=[]›
have "(set ?δ')⊆(N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ?β @ ?δ' @ [v] @ ?α' ∈ Tr⇘ES⇙ ∧ ?α'↿V⇘𝒱⇙=α↿V⇘𝒱⇙ ∧ ?α'↿C⇘𝒱⇙=[]"
by auto
hence "∃α''' δ''. (set δ'') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ (β @ δ'' @ [v] @ α''') ∈ Tr⇘ES⇙
∧ α''' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α''' ↿ C⇘𝒱⇙ = []"
by auto
}
thus ?thesis
unfolding FCD_def by auto
qed
lemma Trivially_fulfilled_SI_C_empty:
"C⇘𝒱⇙ = {} ⟹ SI 𝒱 Tr⇘ES⇙"
by (simp add: SI_def)
lemma Trivially_fulfilled_BSI_C_empty:
"C⇘𝒱⇙ = {} ⟹ BSI 𝒱 Tr⇘ES⇙"
by (simp add: BSI_def)
lemma Trivially_fulfilled_I_C_empty:
"C⇘𝒱⇙ = {} ⟹ I 𝒱 Tr⇘ES⇙"
by (simp add: I_def)
lemma Trivially_fulfilled_FCI_C_empty:
"C⇘𝒱⇙ = {} ⟹ FCI Γ 𝒱 Tr⇘ES⇙"
by (simp add: FCI_def)
lemma Trivially_fulfilled_SIA_C_empty:
"C⇘𝒱⇙ = {} ⟹ SIA ρ 𝒱 Tr⇘ES⇙"
by (simp add: SIA_def)
lemma Trivially_fulfilled_BSIA_C_empty:
"C⇘𝒱⇙ = {} ⟹ BSIA ρ 𝒱 Tr⇘ES⇙"
by (simp add: BSIA_def)
lemma Trivially_fulfilled_IA_C_empty:
"C⇘𝒱⇙ = {} ⟹ IA ρ 𝒱 Tr⇘ES⇙"
by (simp add: IA_def)
lemma Trivially_fulfilled_FCIA_C_empty:
"C⇘𝒱⇙ = {} ⟹ FCIA Γ ρ 𝒱 Tr⇘ES⇙"
by (simp add: FCIA_def)
lemma Trivially_fulfilled_FCI_V_empty:
"V⇘𝒱⇙ = {} ⟹ FCI Γ 𝒱 Tr⇘ES⇙"
by (simp add: FCI_def)
lemma Trivially_fulfilled_FCIA_V_empty:
"V⇘𝒱⇙ = {} ⟹ FCIA ρ Γ 𝒱 Tr⇘ES⇙"
by (simp add: FCIA_def)
lemma Trivially_fulfilled_BSIA_V_empty_rho_subseteq_C_N:
"⟦V⇘𝒱⇙ = {}; ρ 𝒱 ⊇ (C⇘𝒱⇙ ∪ N⇘𝒱⇙) ⟧ ⟹ BSIA ρ 𝒱 Tr⇘ES⇙"
proof -
assume "V⇘𝒱⇙={}"
and "ρ 𝒱 ⊇ (C⇘𝒱⇙ ∪ N⇘𝒱⇙)"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙=[]"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
from ‹Adm 𝒱 ρ Tr⇘ES⇙ β c›
obtain γ
where "γ @ [c] ∈ Tr⇘ES⇙"
and "γ↿(ρ 𝒱) = β↿(ρ 𝒱)"
unfolding Adm_def by auto
from this(1) have "γ ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
moreover
from ‹β @ α ∈ Tr⇘ES⇙› have "β ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
ultimately
have "β↿E⇘ES⇙=γ↿E⇘ES⇙"
using validES VIsViewOnE ‹V⇘𝒱⇙={}› ‹γ↿(ρ 𝒱) = β↿(ρ 𝒱)› ‹ρ 𝒱 ⊇ (C⇘𝒱⇙ ∪ N⇘𝒱⇙)›
non_empty_projection_on_subset
unfolding ES_valid_def isViewOn_def traces_contain_events_def
by (metis empty_subsetI sup_absorb2 sup_commute)
hence "β @ [c] ∈ Tr⇘ES⇙" using validES ‹γ @ [c] ∈ Tr⇘ES⇙› ‹β ∈ Tr⇘ES⇙› ‹γ ∈ Tr⇘ES⇙›
unfolding ES_valid_def traces_contain_events_def
by (metis list_subset_iff_projection_neutral subsetI)
let ?α'="[]"
from ‹β @ [c] ∈ Tr⇘ES⇙› ‹V⇘𝒱⇙ = {}›
have "β @ [c] @ ?α' ∈Tr⇘ES⇙ ∧ ?α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ ?α'↿C⇘𝒱⇙ = []"
by (simp add: projection_on_empty_trace projection_to_emptyset_is_empty_trace)
hence "∃ α'. β @ [c] @ α' ∈Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []"
by auto
}
thus ?thesis
unfolding BSIA_def by auto
qed
lemma Trivially_fulfilled_IA_V_empty_rho_subseteq_C_N:
"⟦V⇘𝒱⇙ = {}; ρ 𝒱 ⊇ (C⇘𝒱⇙ ∪ N⇘𝒱⇙) ⟧ ⟹ IA ρ 𝒱 Tr⇘ES⇙"
proof -
assume "V⇘𝒱⇙={}"
and "ρ 𝒱 ⊇ (C⇘𝒱⇙ ∪ N⇘𝒱⇙)"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙=[]"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
from ‹Adm 𝒱 ρ Tr⇘ES⇙ β c›
obtain γ
where "γ @ [c] ∈ Tr⇘ES⇙"
and "γ↿(ρ 𝒱) = β↿(ρ 𝒱)"
unfolding Adm_def by auto
from this(1) have "γ ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
moreover
from ‹β @ α ∈ Tr⇘ES⇙› have "β ∈ Tr⇘ES⇙" using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
ultimately
have "β↿E⇘ES⇙=γ↿E⇘ES⇙"
using validES VIsViewOnE ‹V⇘𝒱⇙={}› ‹γ↿(ρ 𝒱) = β↿(ρ 𝒱)› ‹ρ 𝒱 ⊇ (C⇘𝒱⇙ ∪ N⇘𝒱⇙)›
non_empty_projection_on_subset
unfolding ES_valid_def isViewOn_def traces_contain_events_def
by (metis empty_subsetI sup_absorb2 sup_commute)
hence "β @ [c] ∈ Tr⇘ES⇙" using validES ‹γ @ [c] ∈ Tr⇘ES⇙› ‹β ∈ Tr⇘ES⇙› ‹γ ∈ Tr⇘ES⇙›
unfolding ES_valid_def traces_contain_events_def
by (metis list_subset_iff_projection_neutral subsetI)
let ?β'=β and ?α'="[]"
from ‹β @ [c] ∈ Tr⇘ES⇙› ‹V⇘𝒱⇙ = {}›
have "?β' @ [c] @ ?α' ∈Tr⇘ES⇙ ∧ ?α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ ?α'↿C⇘𝒱⇙ = []
∧ ?β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙)"
by (simp add: projection_on_empty_trace projection_to_emptyset_is_empty_trace)
hence "∃ α' β'.
β' @ [c] @ α' ∈Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇙ = α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙ = []
∧ β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙)"
by auto
}
thus ?thesis
unfolding IA_def by auto
qed
lemma Trivially_fulfilled_BSI_V_empty_total_ES_C:
"⟦V⇘𝒱⇙ = {}; total ES C⇘𝒱⇙ ⟧ ⟹ BSI 𝒱 Tr⇘ES⇙"
proof -
assume "V⇘𝒱⇙ = {}"
and "total ES C⇘𝒱⇙"
{
fix α β c
assume "β @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙=[]"
and "c ∈ C⇘𝒱⇙"
from ‹β @ α ∈ Tr⇘ES⇙› have "β ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
with ‹total ES C⇘𝒱⇙› have "β @ [c] ∈ Tr⇘ES⇙"
using ‹c ∈ C⇘𝒱⇙› unfolding total_def by auto
moreover
from ‹V⇘𝒱⇙ = {}› have "α↿V⇘𝒱⇙=[]"
unfolding projection_def by auto
ultimately
have "∃α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇙=α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙=[]"
using ‹α ↿ C⇘𝒱⇙ = []› by (metis append_Nil2 projection_idempotent)
}
thus ?thesis
unfolding BSI_def by auto
qed
lemma Trivially_fulfilled_I_V_empty_total_ES_C:
"⟦V⇘𝒱⇙ = {}; total ES C⇘𝒱⇙ ⟧ ⟹ I 𝒱 Tr⇘ES⇙"
proof -
assume "V⇘𝒱⇙ = {}"
and "total ES C⇘𝒱⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇙"
and "β @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙=[]"
from ‹β @ α ∈ Tr⇘ES⇙› have "β ∈ Tr⇘ES⇙"
using validES
unfolding ES_valid_def traces_prefixclosed_def prefixclosed_def prefix_def by auto
with ‹total ES C⇘𝒱⇙› have "β @ [c] ∈ Tr⇘ES⇙"
using ‹c ∈ C⇘𝒱⇙› unfolding total_def by auto
moreover
from ‹V⇘𝒱⇙ = {}› have "α↿V⇘𝒱⇙=[]"
unfolding projection_def by auto
ultimately
have "∃β' α'.
β' @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇙=α↿V⇘𝒱⇙ ∧ α'↿C⇘𝒱⇙=[] ∧ β'↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙) = β↿(V⇘𝒱⇙ ∪ C⇘𝒱⇙)"
using ‹α ↿ C⇘𝒱⇙ = []› by (metis append_Nil2 projection_idempotent)
}
thus ?thesis
unfolding I_def by blast
qed
lemma Trivially_fulfilled_FCI_Nabla_Υ_empty:
"⟦∇⇘Γ⇙={} ∨ Υ⇘Γ⇙={}⟧⟹ FCI Γ 𝒱 Tr⇘ES⇙"
proof -
assume "∇⇘Γ⇙={} ∨ Υ⇘Γ⇙={}"
thus ?thesis
proof(rule disjE)
assume "∇⇘Γ⇙={}" thus ?thesis
by (simp add: FCI_def)
next
assume " Υ⇘Γ⇙={}" thus ?thesis
by (simp add: FCI_def)
qed
qed
lemma Trivially_fulfilled_FCIA_Nabla_Υ_empty:
"⟦∇⇘Γ⇙={} ∨ Υ⇘Γ⇙={}⟧⟹ FCIA ρ Γ 𝒱 Tr⇘ES⇙"
proof -
assume "∇⇘Γ⇙={} ∨ Υ⇘Γ⇙={}"
thus ?thesis
proof(rule disjE)
assume "∇⇘Γ⇙={}" thus ?thesis
by (simp add: FCIA_def)
next
assume " Υ⇘Γ⇙={}" thus ?thesis
by (simp add: FCIA_def)
qed
qed
lemma Trivially_fulfilled_FCI_N_subseteq_Δ_and_BSI:
"⟦N⇘𝒱⇙ ⊆ Δ⇘Γ⇙; BSI 𝒱 Tr⇘ES⇙⟧ ⟹ FCI Γ 𝒱 Tr⇘ES⇙"
proof -
assume "N⇘𝒱⇙ ⊆ Δ⇘Γ⇙"
and "BSI 𝒱 Tr⇘ES⇙"
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [v] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙ = []"
from ‹c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙› have "c ∈ C⇘𝒱⇙"
by auto
from ‹v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙› have "v ∈ V⇘𝒱⇙"
by auto
let ?α="[v] @ α"
from ‹v ∈ V⇘𝒱⇙› ‹α↿C⇘𝒱⇙ = []› have "?α↿C⇘𝒱⇙=[]"
using VIsViewOnE
unfolding isViewOn_def V_valid_def VC_disjoint_def projection_def by auto
from ‹β @ [v] @ α ∈ Tr⇘ES⇙› have "β @ ?α ∈ Tr⇘ES⇙"
by auto
from ‹BSI 𝒱 Tr⇘ES⇙›
obtain α'
where "β @ [c] @ α' ∈ Tr⇘ES⇙"
and "α'↿V⇘𝒱⇙ = ([v] @ α)↿V⇘𝒱⇙"
and "α'↿C⇘𝒱⇙ = []"
using ‹c ∈ C⇘𝒱⇙› ‹β @ ?α ∈ Tr⇘ES⇙› ‹?α↿C⇘𝒱⇙ = []›
unfolding BSI_def by blast
from‹v ∈ V⇘𝒱⇙› ‹α'↿V⇘𝒱⇙ = ([v] @ α)↿V⇘𝒱⇙› have "α'↿V⇘𝒱⇙ = [v] @ α↿V⇘𝒱⇙"
by (simp add: projection_def)
then
obtain δ α''
where "α'=δ @ [v] @ α''"
and "δ↿V⇘𝒱⇙ = []"
and "α''↿V⇘𝒱⇙ = α↿V⇘𝒱⇙"
using projection_split_first_with_suffix by fastforce
from ‹α'↿C⇘𝒱⇙ = []› ‹α'=δ @ [v] @ α''› have "δ↿C⇘𝒱⇙=[]"
by (metis append_is_Nil_conv projection_concatenation_commute)
from ‹α'↿C⇘𝒱⇙ = []› ‹α'=δ @ [v] @ α''› have "α''↿C⇘𝒱⇙=[]"
by (metis append_is_Nil_conv projection_concatenation_commute)
from ‹β @ [c] @ α' ∈ Tr⇘ES⇙› have "set α' ⊆ E⇘ES⇙"
using validES
unfolding ES_valid_def traces_contain_events_def by auto
with ‹α'=δ @ [v] @ α''› have "set δ ⊆ E⇘ES⇙"
by auto
with ‹δ↿C⇘𝒱⇙=[]› ‹δ↿V⇘𝒱⇙ = []› ‹N⇘𝒱⇙ ⊆ Δ⇘Γ⇙›
have "(set δ) ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)"
using VIsViewOnE projection_empty_implies_absence_of_events
unfolding isViewOn_def projection_def by blast
let ?β=β and ?δ'=δ and ?α'=α''
from ‹(set δ) ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)› ‹β @ [c] @ α' ∈ Tr⇘ES⇙› ‹α'=δ @ [v] @ α''›
‹α''↿V⇘𝒱⇙ = α↿V⇘𝒱⇙› ‹α''↿C⇘𝒱⇙=[]›
have "(set ?δ')⊆(N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ?β @ [c] @ ?δ' @ [v] @ ?α' ∈ Tr⇘ES⇙ ∧ ?α'↿V⇘𝒱⇙=α↿V⇘𝒱⇙ ∧ ?α'↿C⇘𝒱⇙=[]"
by auto
hence "∃α''' δ''. (set δ'') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ (β @ [c] @ δ'' @ [v] @ α''') ∈ Tr⇘ES⇙
∧ α''' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α''' ↿ C⇘𝒱⇙ = []"
by auto
}
thus ?thesis
unfolding FCI_def by auto
qed
lemma Trivially_fulfilled_FCIA_N_subseteq_Δ_and_BSIA:
"⟦N⇘𝒱⇙ ⊆ Δ⇘Γ⇙; BSIA ρ 𝒱 Tr⇘ES⇙⟧ ⟹ FCIA ρ Γ 𝒱 Tr⇘ES⇙"
proof -
assume "N⇘𝒱⇙ ⊆ Δ⇘Γ⇙"
and "BSIA ρ 𝒱 Tr⇘ES⇙"
{
fix α β c v
assume "c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙"
and "v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙"
and "β @ [v] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇙ = []"
and "Adm 𝒱 ρ Tr⇘ES⇙ β c"
from ‹c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙› have "c ∈ C⇘𝒱⇙"
by auto
from ‹v ∈ V⇘𝒱⇙ ∩ ∇⇘Γ⇙› have "v ∈ V⇘𝒱⇙"
by auto
let ?α="[v] @ α"
from ‹v ∈ V⇘𝒱⇙› ‹α↿C⇘𝒱⇙ = []› have "?α↿C⇘𝒱⇙=[]"
using VIsViewOnE
unfolding isViewOn_def V_valid_def VC_disjoint_def projection_def by auto
from ‹β @ [v] @ α ∈ Tr⇘ES⇙› have "β @ ?α ∈ Tr⇘ES⇙"
by auto
from ‹BSIA ρ 𝒱 Tr⇘ES⇙›
obtain α'
where "β @ [c] @ α' ∈ Tr⇘ES⇙"
and "α'↿V⇘𝒱⇙ = ([v] @ α)↿V⇘𝒱⇙"
and "α'↿C⇘𝒱⇙ = []"
using ‹c ∈ C⇘𝒱⇙› ‹β @ ?α ∈ Tr⇘ES⇙› ‹?α↿C⇘𝒱⇙ = []› ‹Adm 𝒱 ρ Tr⇘ES⇙ β c›
unfolding BSIA_def by blast
from‹v ∈ V⇘𝒱⇙› ‹α'↿V⇘𝒱⇙ = ([v] @ α)↿V⇘𝒱⇙› have "α'↿V⇘𝒱⇙ = [v] @ α↿V⇘𝒱⇙"
by (simp add: projection_def)
then
obtain δ α''
where "α'=δ @ [v] @ α''"
and "δ↿V⇘𝒱⇙ = []"
and "α''↿V⇘𝒱⇙ = α↿V⇘𝒱⇙"
using projection_split_first_with_suffix by fastforce
from ‹α'↿C⇘𝒱⇙ = []› ‹α'=δ @ [v] @ α''› have "δ↿C⇘𝒱⇙=[]"
by (metis append_is_Nil_conv projection_concatenation_commute)
from ‹α'↿C⇘𝒱⇙ = []› ‹α'=δ @ [v] @ α''› have "α''↿C⇘𝒱⇙=[]"
by (metis append_is_Nil_conv projection_concatenation_commute)
from ‹β @ [c] @ α' ∈ Tr⇘ES⇙› have "set α' ⊆ E⇘ES⇙"
using validES
unfolding ES_valid_def traces_contain_events_def by auto
with ‹α'=δ @ [v] @ α''› have "set δ ⊆ E⇘ES⇙"
by auto
with ‹δ↿C⇘𝒱⇙=[]› ‹δ↿V⇘𝒱⇙ = []› ‹N⇘𝒱⇙ ⊆ Δ⇘Γ⇙›
have "(set δ) ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)" using VIsViewOnE projection_empty_implies_absence_of_events
unfolding isViewOn_def projection_def by blast
let ?β=β and ?δ'=δ and ?α'=α''
from ‹(set δ) ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)› ‹β @ [c] @ α' ∈ Tr⇘ES⇙› ‹α'=δ @ [v] @ α''›
‹α''↿V⇘𝒱⇙ = α↿V⇘𝒱⇙› ‹α''↿C⇘𝒱⇙=[]›
have "(set ?δ')⊆(N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ ?β @ [c] @ ?δ' @ [v] @ ?α' ∈ Tr⇘ES⇙ ∧ ?α'↿V⇘𝒱⇙=α↿V⇘𝒱⇙ ∧ ?α'↿C⇘𝒱⇙=[]"
by auto
hence "∃α''' δ''. (set δ'') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ (β @ [c] @ δ'' @ [v] @ α''') ∈ Tr⇘ES⇙
∧ α''' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α''' ↿ C⇘𝒱⇙ = []"
by auto
}
thus ?thesis
unfolding FCIA_def by auto
qed
end
context BSPTaxonomyDifferentViewsFirstDim
begin
lemma R_implies_R_for_modified_view:
"R 𝒱⇩1 Tr⇘ES⇙ ⟹ R 𝒱⇩2 Tr⇘ES⇙"
proof -
assume R_𝒱⇩1: "R 𝒱⇩1 Tr⇘ES⇙"
{
fix τ
assume "τ ∈ Tr⇘ES⇙"
with R_𝒱⇩1 have "∃ τ' ∈ Tr⇘ES⇙. τ' ↿ C⇘𝒱⇩1⇙ = [] ∧ τ' ↿ V⇘𝒱⇩1⇙ = τ ↿ V⇘𝒱⇩1⇙"
unfolding R_def by auto
hence "∃ τ' ∈ Tr⇘ES⇙. τ' ↿ C⇘𝒱⇩2⇙ = [] ∧ τ' ↿ V⇘𝒱⇩2⇙ = τ ↿ V⇘𝒱⇩2⇙"
using V2_subset_V1 C2_subset_C1 non_empty_projection_on_subset projection_on_subset by blast
}
thus ?thesis
unfolding R_def by auto
qed
lemma BSD_implies_BSD_for_modified_view:
"BSD 𝒱⇩1 Tr⇘ES⇙⟹ BSD 𝒱⇩2 Tr⇘ES⇙"
proof-
assume BSD_𝒱⇩1: "BSD 𝒱⇩1 Tr⇘ES⇙"
{
fix α β c n
assume c_in_C⇩2: "c ∈ C⇘𝒱⇩2⇙"
from C2_subset_C1 c_in_C⇩2 have c_in_C⇩1: "c ∈ C⇘𝒱⇩1⇙"
by auto
have "⟦β @ [c] @ α ∈ Tr⇘ES⇙; α ↿ C⇘𝒱⇩2⇙=[]; n= length(α ↿ C⇘𝒱⇩1⇙)⟧
⟹ ∃ α'. β @ α' ∈ Tr⇘ES⇙ ∧ α'↿ V⇘𝒱⇩2⇙ = α ↿V⇘𝒱⇩2⇙ ∧ α' ↿C⇘𝒱⇩2⇙ = []"
proof(induct n arbitrary: α )
case 0
from "0.prems"(3) have "α ↿ C⇘𝒱⇩1⇙ = []" by auto
with c_in_C⇩1 "0.prems"(1)
have "∃ α'. β @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙ ∧ α' ↿C⇘𝒱⇩1⇙ =[]"
using BSD_𝒱⇩1 unfolding BSD_def by auto
then
obtain α' where "β @ α' ∈ Tr⇘ES⇙"
and "α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙"
and "α' ↿C⇘𝒱⇩1⇙ =[]"
by auto
from V2_subset_V1 ‹α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙› have "α'↿ V⇘𝒱⇩2⇙ = α ↿V⇘𝒱⇩2⇙"
using non_empty_projection_on_subset by blast
moreover
from ‹α' ↿C⇘𝒱⇩1⇙ =[]› C2_subset_C1 have "α' ↿ C⇘𝒱⇩2⇙ = []"
using projection_on_subset by auto
ultimately
show ?case
using ‹β @ α' ∈ Tr⇘ES⇙› by auto
next
case (Suc n)
from "Suc.prems"(3) projection_split_last[OF "Suc.prems"(3)]
obtain γ⇩1 γ⇩2 c⇩1 where c⇩1_in_C⇩1: "c⇩1 ∈ C⇘𝒱⇩1⇙"
and "α = γ⇩1 @ [c⇩1] @ γ⇩2"
and "γ⇩2 ↿C⇘𝒱⇩1⇙ = []"
and "n = length((γ⇩1 @ γ⇩2)↿ C⇘𝒱⇩1⇙)"
by auto
from "Suc.prems"(2) ‹α = γ⇩1 @ [c⇩1] @ γ⇩2› have "γ⇩1 ↿ C⇘𝒱⇩2⇙ = []"
by (simp add: projection_concatenation_commute)
from "Suc.prems"(1) ‹α = γ⇩1 @ [c⇩1] @ γ⇩2›
obtain β' where "β'=β @ [c] @ γ⇩1"
and "β' @ [c⇩1] @ γ⇩2 ∈ Tr⇘ES⇙"
by auto
from ‹β' @ [c⇩1] @ γ⇩2 ∈ Tr⇘ES⇙› ‹γ⇩2 ↿C⇘𝒱⇩1⇙ = []› ‹c⇩1 ∈ C⇘𝒱⇩1⇙›
obtain γ⇩2' where " β' @ γ⇩2' ∈ Tr⇘ES⇙"
and "γ⇩2' ↿ V⇘𝒱⇩1⇙ = γ⇩2 ↿ V⇘𝒱⇩1⇙"
and "γ⇩2' ↿C⇘𝒱⇩1⇙ =[]"
using BSD_𝒱⇩1 unfolding BSD_def by auto
from ‹β'=β @ [c] @ γ⇩1› ‹β' @ γ⇩2' ∈ Tr⇘ES⇙› have "β @ [c] @ γ⇩1 @ γ⇩2' ∈ Tr⇘ES⇙"
by auto
moreover
from ‹γ⇩1 ↿ C⇘𝒱⇩2⇙=[]› ‹γ⇩2' ↿C⇘𝒱⇩1⇙ =[]› C2_subset_C1 have "(γ⇩1 @ γ⇩2') ↿ C⇘𝒱⇩2⇙ =[]"
by (metis append_Nil projection_concatenation_commute projection_on_subset)
moreover
from ‹n = length((γ⇩1 @ γ⇩2)↿ C⇘𝒱⇩1⇙)› ‹γ⇩2 ↿C⇘𝒱⇩1⇙ = []› ‹γ⇩2' ↿C⇘𝒱⇩1⇙ =[]›
have "n = length((γ⇩1 @ γ⇩2')↿ C⇘𝒱⇩1⇙)"
by (simp add: projection_concatenation_commute)
ultimately
have witness: "∃ α'. β @ α' ∈ Tr⇘ES⇙ ∧ α'↿ V⇘𝒱⇩2⇙ = (γ⇩1 @ γ⇩2') ↿V⇘𝒱⇩2⇙ ∧ α' ↿C⇘𝒱⇩2⇙ = []"
using Suc.hyps by auto
from 𝒱⇩1IsViewOnE 𝒱⇩2IsViewOnE V2_subset_V1 C2_subset_C1 c⇩1_in_C⇩1 have "c⇩1 ∉ V⇘𝒱⇩2⇙"
unfolding isViewOn_def V_valid_def VC_disjoint_def by auto
with ‹α = γ⇩1 @ [c⇩1] @ γ⇩2› have "α ↿ V⇘𝒱⇩2⇙ = (γ⇩1 @ γ⇩2) ↿ V⇘𝒱⇩2⇙"
unfolding projection_def by auto
hence "α ↿ V⇘𝒱⇩2⇙ = γ⇩1 ↿ V⇘𝒱⇩2⇙ @ γ⇩2 ↿ V⇘𝒱⇩2⇙ "
using projection_concatenation_commute by auto
with V2_subset_V1 ‹γ⇩2' ↿ V⇘𝒱⇩1⇙ = γ⇩2 ↿ V⇘𝒱⇩1⇙›
have "γ⇩1 ↿ V⇘𝒱⇩2⇙ @ γ⇩2 ↿ V⇘𝒱⇩2⇙ = γ⇩1↿ V⇘𝒱⇩2⇙ @ γ⇩2' ↿ V⇘𝒱⇩2⇙"
using non_empty_projection_on_subset by metis
with ‹α ↿ V⇘𝒱⇩2⇙ = γ⇩1 ↿ V⇘𝒱⇩2⇙ @ γ⇩2 ↿ V⇘𝒱⇩2⇙› have "α ↿ V⇘𝒱⇩2⇙ = (γ⇩1 @ γ⇩2') ↿ V⇘𝒱⇩2⇙"
by (simp add: projection_concatenation_commute)
from witness ‹α ↿ V⇘𝒱⇩2⇙ = (γ⇩1 @ γ⇩2') ↿ V⇘𝒱⇩2⇙›
show ?case
by auto
qed
}
thus ?thesis
unfolding BSD_def by auto
qed
lemma D_implies_D_for_modified_view:
"D 𝒱⇩1 Tr⇘ES⇙ ⟹ D 𝒱⇩2 Tr⇘ES⇙"
proof-
assume D_𝒱⇩1: "D 𝒱⇩1 Tr⇘ES⇙"
from V2_subset_V1 C2_subset_C1
have V⇩2_union_C⇩2_subset_V⇩1_union_C⇩1: "V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙ ⊆ V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙" by auto
{
fix α β c n
assume c_in_C⇩2: "c ∈ C⇘𝒱⇩2⇙"
from C2_subset_C1 c_in_C⇩2 have c_in_C⇩1: "c ∈ C⇘𝒱⇩1⇙"
by auto
have "⟦β @ [c] @ α ∈ Tr⇘ES⇙; α ↿ C⇘𝒱⇩2⇙=[]; n= length(α ↿ C⇘𝒱⇩1⇙)⟧
⟹ ∃ α' β'.
β' @ α' ∈ Tr⇘ES⇙ ∧ α'↿ V⇘𝒱⇩2⇙ = α ↿V⇘𝒱⇩2⇙ ∧ α' ↿C⇘𝒱⇩2⇙ = []
∧ β' ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) = β ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) "
proof(induct n arbitrary: α β )
case 0
from "0.prems"(3) have "α ↿ C⇘𝒱⇩1⇙ = []" by auto
with c_in_C⇩1 "0.prems"(1)
have "∃ α' β'.
β' @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙ ∧ α' ↿C⇘𝒱⇩1⇙ =[]
∧ β' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
using D_𝒱⇩1 unfolding D_def by fastforce
then
obtain β' α' where "β' @ α' ∈ Tr⇘ES⇙"
and "α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙"
and "α' ↿C⇘𝒱⇩1⇙ =[]"
and "β' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
by auto
from V2_subset_V1 ‹α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙› have "α'↿ V⇘𝒱⇩2⇙ = α ↿V⇘𝒱⇩2⇙"
using non_empty_projection_on_subset by blast
moreover
from ‹α' ↿C⇘𝒱⇩1⇙ =[]› C2_subset_C1 have "α' ↿ C⇘𝒱⇩2⇙ = []"
using projection_on_subset by auto
moreover
from ‹β' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)› V⇩2_union_C⇩2_subset_V⇩1_union_C⇩1
have "β' ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) = β ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙)"
using non_empty_projection_on_subset by blast
ultimately
show ?case
using ‹β' @ α' ∈ Tr⇘ES⇙› by auto
next
case (Suc n)
from "Suc.prems"(3) projection_split_last[OF "Suc.prems"(3)]
obtain γ⇩1 γ⇩2 c⇩1 where c⇩1_in_C⇩1: "c⇩1 ∈ C⇘𝒱⇩1⇙"
and "α = γ⇩1 @ [c⇩1] @ γ⇩2"
and "γ⇩2 ↿C⇘𝒱⇩1⇙ = []"
and "n = length((γ⇩1 @ γ⇩2)↿ C⇘𝒱⇩1⇙)"
by auto
from "Suc.prems"(2) ‹α = γ⇩1 @ [c⇩1] @ γ⇩2› have "γ⇩1 ↿ C⇘𝒱⇩2⇙ = []"
by (simp add: projection_concatenation_commute)
from "Suc.prems"(1) ‹α = γ⇩1 @ [c⇩1] @ γ⇩2›
obtain β' where "β'=β @ [c] @ γ⇩1"
and "β' @ [c⇩1] @ γ⇩2 ∈ Tr⇘ES⇙"
by auto
from ‹β' @ [c⇩1] @ γ⇩2 ∈ Tr⇘ES⇙› ‹γ⇩2 ↿C⇘𝒱⇩1⇙ = []› ‹c⇩1 ∈ C⇘𝒱⇩1⇙›
obtain γ⇩2' β'' where " β'' @ γ⇩2' ∈ Tr⇘ES⇙"
and "γ⇩2' ↿ V⇘𝒱⇩1⇙ = γ⇩2 ↿ V⇘𝒱⇩1⇙"
and "γ⇩2' ↿C⇘𝒱⇩1⇙ =[]"
and "β'' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
using D_𝒱⇩1 unfolding D_def by force
from c_in_C⇩1 have "c ∈ V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙"
by auto
moreover
from ‹β'' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)› ‹β'=β @ [c] @ γ⇩1›
have "β'' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = (β @ [c] @ γ⇩1) ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
by auto
ultimately
have "∃ β''' γ⇩1'. β''=β'''@ [c] @ γ⇩1'
∧ β''' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)
∧ γ⇩1'↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = γ⇩1 ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
using projection_split_arbitrary_element by fast
then
obtain β''' γ⇩1' where "β''= β''' @ [c] @ γ⇩1'"
and "β''' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
and "γ⇩1'↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = γ⇩1 ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
using projection_split_arbitrary_element by auto
from ‹β'' @ γ⇩2' ∈ Tr⇘ES⇙› this(1)
have "β''' @ [c] @ γ⇩1' @ γ⇩2' ∈ Tr⇘ES⇙"
by simp
from ‹γ⇩2' ↿C⇘𝒱⇩1⇙ =[]› have "γ⇩2' ↿ C⇘𝒱⇩2⇙=[]"
using C2_subset_C1 projection_on_subset by auto
moreover
from ‹γ⇩1 ↿ C⇘𝒱⇩2⇙ = []› ‹γ⇩1'↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = γ⇩1 ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)›
have "γ⇩1'↿ C⇘𝒱⇩2⇙ = []" using C2_subset_C1 V2_subset_V1
by (metis non_empty_projection_on_subset projection_subset_eq_from_superset_eq sup_commute)
ultimately
have "(γ⇩1' @ γ⇩2')↿C⇘𝒱⇩2⇙ = []"
by (simp add: projection_concatenation_commute)
from ‹γ⇩1'↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = γ⇩1 ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)› have "γ⇩1'↿C⇘𝒱⇩1⇙ = γ⇩1↿C⇘𝒱⇩1⇙"
using projection_subset_eq_from_superset_eq sup_commute by metis
hence "length(γ⇩1'↿C⇘𝒱⇩1⇙) = length(γ⇩1↿C⇘𝒱⇩1⇙)" by simp
moreover
from ‹γ⇩2 ↿C⇘𝒱⇩1⇙ = []› ‹γ⇩2'↿C⇘𝒱⇩1⇙=[]› have "length(γ⇩2'↿C⇘𝒱⇩1⇙) = length(γ⇩2↿C⇘𝒱⇩1⇙)"
by simp
ultimately
have "n=length((γ⇩1' @ γ⇩2')↿C⇘𝒱⇩1⇙)"
by (simp add: ‹n = length ((γ⇩1 @ γ⇩2) ↿ C⇘𝒱⇩1⇙)› projection_concatenation_commute)
from ‹β''' @ [c] @ γ⇩1' @ γ⇩2' ∈ Tr⇘ES⇙› ‹(γ⇩1' @ γ⇩2')↿C⇘𝒱⇩2⇙ = []› ‹n=length((γ⇩1' @ γ⇩2')↿C⇘𝒱⇩1⇙)›
have witness:
" ∃α' β'. β' @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩2⇙ = ( γ⇩1' @ γ⇩2') ↿ V⇘𝒱⇩2⇙
∧ α' ↿ C⇘𝒱⇩2⇙ = [] ∧ β' ↿ (V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) = β''' ↿ (V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙)"
using Suc.hyps[OF ‹β''' @ [c] @ γ⇩1' @ γ⇩2' ∈ Tr⇘ES⇙›] by simp
from V⇩2_union_C⇩2_subset_V⇩1_union_C⇩1 ‹β''' ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)›
have "β''' ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) = β ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙)"
using non_empty_projection_on_subset by blast
from 𝒱⇩1IsViewOnE 𝒱⇩2IsViewOnE V2_subset_V1 C2_subset_C1 c⇩1_in_C⇩1 have "c⇩1 ∉ V⇘𝒱⇩2⇙"
unfolding isViewOn_def V_valid_def VC_disjoint_def by auto
with ‹α = γ⇩1 @ [c⇩1] @ γ⇩2› have "α ↿ V⇘𝒱⇩2⇙ = (γ⇩1 @ γ⇩2) ↿ V⇘𝒱⇩2⇙"
unfolding projection_def by auto
moreover
from V2_subset_V1 ‹γ⇩2' ↿ V⇘𝒱⇩1⇙ = γ⇩2 ↿ V⇘𝒱⇩1⇙› have "γ⇩2' ↿ V⇘𝒱⇩2⇙ = γ⇩2 ↿ V⇘𝒱⇩2⇙"
using V2_subset_V1 by (metis projection_subset_eq_from_superset_eq subset_Un_eq)
moreover
from ‹γ⇩1'↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = γ⇩1 ↿(V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)› have "γ⇩1' ↿ V⇘𝒱⇩2⇙ = γ⇩1 ↿ V⇘𝒱⇩2⇙"
using V2_subset_V1 by (metis projection_subset_eq_from_superset_eq subset_Un_eq)
ultimately
have "α ↿ V⇘𝒱⇩2⇙ = (γ⇩1' @ γ⇩2') ↿ V⇘𝒱⇩2⇙" using ‹α ↿ V⇘𝒱⇩2⇙ = (γ⇩1 @ γ⇩2) ↿ V⇘𝒱⇩2⇙›
by (simp add: projection_concatenation_commute)
from ‹β''' ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) = β ↿(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙)› ‹α ↿ V⇘𝒱⇩2⇙ = (γ⇩1' @ γ⇩2') ↿ V⇘𝒱⇩2⇙›
show ?case
using witness by simp
qed
}
thus ?thesis
unfolding D_def by auto
qed
end
context BSPTaxonomyDifferentViewsSecondDim
begin
lemma FCD_implies_FCD_for_modified_view_gamma:
"⟦FCD Γ⇩1 𝒱⇩1 Tr⇘ES⇙;
V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙; N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙; C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙ ⟧
⟹ FCD Γ⇩2 𝒱⇩2 Tr⇘ES⇙"
proof -
assume "FCD Γ⇩1 𝒱⇩1 Tr⇘ES⇙"
and "V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙"
and "N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙"
and "C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙"
{
fix α β v c
assume "c ∈ C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙"
and "v ∈ V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙"
and "β @ [c,v] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇩2⇙ = []"
from ‹c ∈ C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙› ‹C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙› have "c ∈ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙"
by auto
moreover
from ‹v ∈ V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙› ‹V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙› have "v ∈ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙"
by auto
moreover
from C2_equals_C1 ‹α↿C⇘𝒱⇩2⇙ = []› have "α↿C⇘𝒱⇩1⇙ = []"
by auto
ultimately
obtain α' δ' where "(set δ') ⊆ (N⇘𝒱⇩1⇙ ∩ Δ⇘Γ⇩1⇙)"
and "β @ δ' @ [v] @ α' ∈ Tr⇘ES⇙"
and "α'↿V⇘𝒱⇩1⇙ = α↿V⇘𝒱⇩1⇙"
and "α'↿C⇘𝒱⇩1⇙ = []"
using ‹β @ [c,v] @ α ∈ Tr⇘ES⇙› ‹FCD Γ⇩1 𝒱⇩1 Tr⇘ES⇙› unfolding FCD_def by blast
from ‹(set δ') ⊆ (N⇘𝒱⇩1⇙ ∩ Δ⇘Γ⇩1⇙)› ‹N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙›
have "(set δ') ⊆ (N⇘𝒱⇩2⇙ ∩ Δ⇘Γ⇩2⇙)"
by auto
moreover
from ‹α'↿V⇘𝒱⇩1⇙ = α↿V⇘𝒱⇩1⇙› V2_subset_V1 have "α'↿V⇘𝒱⇩2⇙ = α↿V⇘𝒱⇩2⇙"
using non_empty_projection_on_subset by blast
moreover
from C2_equals_C1 ‹α'↿C⇘𝒱⇩1⇙ = []› have "α'↿C⇘𝒱⇩2⇙ = []"
by auto
ultimately
have "∃ δ' α'. (set δ') ⊆ (N⇘𝒱⇩2⇙ ∩ Δ⇘Γ⇩2⇙)
∧ β @ δ'@ [v] @ α' ∈ Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇩2⇙ = α↿V⇘𝒱⇩2⇙ ∧ α'↿C⇘𝒱⇩2⇙ = []"
using ‹β @ δ' @ [v] @ α' ∈ Tr⇘ES⇙› by auto
}
thus ?thesis
unfolding FCD_def by blast
qed
lemma SI_implies_SI_for_modified_view :
"SI 𝒱⇩1 Tr⇘ES⇙ ⟹ SI 𝒱⇩2 Tr⇘ES⇙"
proof -
assume SI: "SI 𝒱⇩1 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇩2⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C⇩2_empty: "α ↿ C⇘𝒱⇩2⇙ = []"
moreover
with C2_equals_C1 have "c ∈ C⇘𝒱⇩1⇙"
by auto
moreover
from alpha_C⇩2_empty C2_equals_C1 have "α ↿ C⇘𝒱⇩1⇙ = []"
by auto
ultimately
have "β @ (c # α) ∈ Tr⇘ES⇙"
using SI unfolding SI_def by auto
}
thus ?thesis
unfolding SI_def by auto
qed
lemma BSI_implies_BSI_for_modified_view :
"BSI 𝒱⇩1 Tr⇘ES⇙ ⟹ BSI 𝒱⇩2 Tr⇘ES⇙"
proof -
assume BSI: "BSI 𝒱⇩1 Tr⇘ES⇙"
{
fix α β c
assume "c ∈ C⇘𝒱⇩2⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C⇩2_empty: "α ↿ C⇘𝒱⇩2⇙ = []"
moreover
with C2_equals_C1 have "c ∈ C⇘𝒱⇩1⇙"
by auto
moreover
from alpha_C⇩2_empty C2_equals_C1 have "α ↿ C⇘𝒱⇩1⇙ = []"
by auto
ultimately
have "∃ α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙ ∧ α' ↿ C⇘𝒱⇩1⇙ = []"
using BSI unfolding BSI_def by auto
with V2_subset_V1 C2_equals_C1
have "∃ α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩2⇙ = α ↿ V⇘𝒱⇩2⇙ ∧ α' ↿ C⇘𝒱⇩2⇙ = []"
using non_empty_projection_on_subset by metis
}
thus ?thesis
unfolding BSI_def by auto
qed
lemma I_implies_I_for_modified_view :
"I 𝒱⇩1 Tr⇘ES⇙ ⟹ I 𝒱⇩2 Tr⇘ES⇙"
proof -
assume I: "I 𝒱⇩1 Tr⇘ES⇙"
from V2_subset_V1 C2_equals_C1 have V⇩2_union_C⇩2_subset_V⇩1_union_C⇩1: "V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙ ⊆ V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙"
by auto
{
fix α β c
assume "c ∈ C⇘𝒱⇩2⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C⇩2_empty: "α ↿ C⇘𝒱⇩2⇙ = []"
moreover
with C2_equals_C1 have "c ∈ C⇘𝒱⇩1⇙"
by auto
moreover
from alpha_C⇩2_empty C2_equals_C1 have "α ↿ C⇘𝒱⇩1⇙ = []"
by auto
ultimately
have "∃ α' β'.
β' @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙ ∧ α' ↿ C⇘𝒱⇩1⇙ = []
∧ β' ↿ (V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿ (V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
using I unfolding I_def by auto
with V⇩2_union_C⇩2_subset_V⇩1_union_C⇩1 V2_subset_V1 C2_equals_C1
have "∃ α' β'.
β' @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩2⇙ = α ↿ V⇘𝒱⇩2⇙ ∧ α' ↿ C⇘𝒱⇩2⇙ = []
∧ β' ↿ (V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) = β ↿ (V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙)"
using non_empty_projection_on_subset by metis
}
thus ?thesis
unfolding I_def by auto
qed
lemma SIA_implies_SIA_for_modified_view :
"⟦SIA ρ⇩1 𝒱⇩1 Tr⇘ES⇙; ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1) ⟧ ⟹ SIA ρ⇩2 𝒱⇩2 Tr⇘ES⇙"
proof -
assume SIA: "SIA ρ⇩1 𝒱⇩1 Tr⇘ES⇙"
and ρ⇩2_supseteq_ρ⇩1: "ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1)"
{
fix α β c
assume "c ∈ C⇘𝒱⇩2⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C⇩2_empty: "α ↿ C⇘𝒱⇩2⇙ = []"
and admissible_c_ρ⇩2_𝒱⇩2:"Adm 𝒱⇩2 ρ⇩2 Tr⇘ES⇙ β c"
moreover
with C2_equals_C1 have "c ∈ C⇘𝒱⇩1⇙"
by auto
moreover
from alpha_C⇩2_empty C2_equals_C1 have "α ↿ C⇘𝒱⇩1⇙ = []"
by auto
moreover
from ρ⇩2_supseteq_ρ⇩1 admissible_c_ρ⇩2_𝒱⇩2 have "Adm 𝒱⇩1 ρ⇩1 Tr⇘ES⇙ β c"
by (simp add: Adm_implies_Adm_for_modified_rho)
ultimately
have "β @ (c # α) ∈ Tr⇘ES⇙"
using SIA unfolding SIA_def by auto
}
thus ?thesis
unfolding SIA_def by auto
qed
lemma BSIA_implies_BSIA_for_modified_view :
"⟦BSIA ρ⇩1 𝒱⇩1 Tr⇘ES⇙; ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1) ⟧ ⟹ BSIA ρ⇩2 𝒱⇩2 Tr⇘ES⇙"
proof -
assume BSIA: "BSIA ρ⇩1 𝒱⇩1 Tr⇘ES⇙"
and ρ⇩2_supseteq_ρ⇩1: "ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1)"
from V2_subset_V1 C2_equals_C1
have V⇩2_union_C⇩2_subset_V⇩1_union_C⇩1: "V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙ ⊆ V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙"
by auto
{
fix α β c
assume "c ∈ C⇘𝒱⇩2⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C⇩2_empty: "α ↿ C⇘𝒱⇩2⇙ = []"
and admissible_c_ρ⇩2_𝒱⇩2:"Adm 𝒱⇩2 ρ⇩2 Tr⇘ES⇙ β c"
moreover
with C2_equals_C1 have "c ∈ C⇘𝒱⇩1⇙"
by auto
moreover
from alpha_C⇩2_empty C2_equals_C1 have "α ↿ C⇘𝒱⇩1⇙ = []"
by auto
moreover
from ρ⇩2_supseteq_ρ⇩1 admissible_c_ρ⇩2_𝒱⇩2 have "Adm 𝒱⇩1 ρ⇩1 Tr⇘ES⇙ β c"
by (simp add: Adm_implies_Adm_for_modified_rho)
ultimately
have "∃ α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙ ∧ α' ↿ C⇘𝒱⇩1⇙ = []"
using BSIA unfolding BSIA_def by auto
with V2_subset_V1 C2_equals_C1
have "∃ α'. β @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩2⇙ = α ↿ V⇘𝒱⇩2⇙ ∧ α' ↿ C⇘𝒱⇩2⇙ = []"
using non_empty_projection_on_subset by metis
}
thus ?thesis
unfolding BSIA_def by auto
qed
lemma IA_implies_IA_for_modified_view :
"⟦IA ρ⇩1 𝒱⇩1 Tr⇘ES⇙; ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1) ⟧ ⟹ IA ρ⇩2 𝒱⇩2 Tr⇘ES⇙"
proof -
assume IA: "IA ρ⇩1 𝒱⇩1 Tr⇘ES⇙"
and ρ⇩2_supseteq_ρ⇩1: "ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1)"
{
fix α β c
assume "c ∈ C⇘𝒱⇩2⇙"
and "β @ α ∈ Tr⇘ES⇙"
and alpha_C⇩2_empty: "α ↿ C⇘𝒱⇩2⇙ = []"
and admissible_c_ρ⇩2_𝒱⇩2:"Adm 𝒱⇩2 ρ⇩2 Tr⇘ES⇙ β c"
moreover
with C2_equals_C1 have "c ∈ C⇘𝒱⇩1⇙"
by auto
moreover
from alpha_C⇩2_empty C2_equals_C1 have "α ↿ C⇘𝒱⇩1⇙ = []"
by auto
moreover
from ρ⇩2_supseteq_ρ⇩1 admissible_c_ρ⇩2_𝒱⇩2 have "Adm 𝒱⇩1 ρ⇩1 Tr⇘ES⇙ β c"
by (simp add: Adm_implies_Adm_for_modified_rho)
ultimately
have "∃ α' β'. β' @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩1⇙ = α ↿ V⇘𝒱⇩1⇙ ∧ α' ↿ C⇘𝒱⇩1⇙ = [] ∧ β' ↿ (V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙) = β ↿ (V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
using IA unfolding IA_def by auto
moreover
from V2_subset_V1 C2_equals_C1 have "(V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) ⊆ (V⇘𝒱⇩1⇙ ∪ C⇘𝒱⇩1⇙)"
by auto
ultimately
have "∃ α' β'. β' @ [c] @ α' ∈ Tr⇘ES⇙ ∧ α' ↿ V⇘𝒱⇩2⇙ = α ↿ V⇘𝒱⇩2⇙ ∧ α' ↿ C⇘𝒱⇩2⇙ = [] ∧ β' ↿ (V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙) = β ↿ (V⇘𝒱⇩2⇙ ∪ C⇘𝒱⇩2⇙)"
using V2_subset_V1 C2_equals_C1 non_empty_projection_on_subset by metis
}
thus ?thesis
unfolding IA_def by auto
qed
lemma FCI_implies_FCI_for_modified_view_gamma:
"⟦FCI Γ⇩1 𝒱⇩1 Tr⇘ES⇙;
V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙; N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙; C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙ ⟧
⟹ FCI Γ⇩2 𝒱⇩2 Tr⇘ES⇙"
proof -
assume "FCI Γ⇩1 𝒱⇩1 Tr⇘ES⇙"
and "V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙"
and "N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙"
and "C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙"
{
fix α β v c
assume "c ∈ C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙"
and "v ∈ V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙"
and "β @ [v] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇩2⇙ = []"
from ‹c ∈ C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙› ‹C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙› have "c ∈ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙"
by auto
moreover
from ‹v ∈ V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙› ‹V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙› have "v ∈ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙"
by auto
moreover
from C2_equals_C1 ‹α↿C⇘𝒱⇩2⇙ = []› have "α↿C⇘𝒱⇩1⇙ = []"
by auto
ultimately
obtain α' δ' where "(set δ') ⊆ (N⇘𝒱⇩1⇙ ∩ Δ⇘Γ⇩1⇙)"
and "β @ [c] @ δ' @ [v] @ α' ∈ Tr⇘ES⇙"
and "α'↿V⇘𝒱⇩1⇙ = α↿V⇘𝒱⇩1⇙"
and "α'↿C⇘𝒱⇩1⇙ = []"
using ‹β @ [v] @ α ∈ Tr⇘ES⇙› ‹FCI Γ⇩1 𝒱⇩1 Tr⇘ES⇙› unfolding FCI_def by blast
from ‹(set δ') ⊆ (N⇘𝒱⇩1⇙ ∩ Δ⇘Γ⇩1⇙)› ‹N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙›
have "(set δ') ⊆ (N⇘𝒱⇩2⇙ ∩ Δ⇘Γ⇩2⇙)"
by auto
moreover
from ‹α'↿V⇘𝒱⇩1⇙ = α↿V⇘𝒱⇩1⇙› V2_subset_V1 have "α'↿V⇘𝒱⇩2⇙ = α↿V⇘𝒱⇩2⇙"
using non_empty_projection_on_subset by blast
moreover
from ‹C⇘𝒱⇩2⇙ = C⇘𝒱⇩1⇙› ‹α'↿C⇘𝒱⇩1⇙ = []› have "α'↿C⇘𝒱⇩2⇙ = []"
by auto
ultimately have "∃ δ' α'. (set δ') ⊆ (N⇘𝒱⇩2⇙ ∩ Δ⇘Γ⇩2⇙)
∧ β @ [c] @ δ'@ [v] @ α' ∈ Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇩2⇙ = α↿V⇘𝒱⇩2⇙ ∧ α'↿C⇘𝒱⇩2⇙ = []"
using ‹β @ [c] @ δ' @ [v] @ α' ∈ Tr⇘ES⇙› by auto
}
thus ?thesis
unfolding FCI_def by blast
qed
lemma FCIA_implies_FCIA_for_modified_view_rho_gamma:
"⟦FCIA ρ⇩1 Γ⇩1 𝒱⇩1 Tr⇘ES⇙; ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1);
V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙; N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙; C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙ ⟧
⟹ FCIA ρ⇩2 Γ⇩2 𝒱⇩2 Tr⇘ES⇙"
proof -
assume "FCIA ρ⇩1 Γ⇩1 𝒱⇩1 Tr⇘ES⇙"
and "ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1)"
and "V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙"
and "N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙"
and "C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙"
{
fix α β v c
assume "c ∈ C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙"
and "v ∈ V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙"
and "β @ [v] @ α ∈ Tr⇘ES⇙"
and "α↿C⇘𝒱⇩2⇙ = []"
and "Adm 𝒱⇩2 ρ⇩2 Tr⇘ES⇙ β c"
from ‹c ∈ C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙› ‹C⇘𝒱⇩2⇙∩Υ⇘Γ⇩2⇙ ⊆ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙› have "c ∈ C⇘𝒱⇩1⇙∩Υ⇘Γ⇩1⇙"
by auto
moreover
from ‹v ∈ V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙› ‹V⇘𝒱⇩2⇙∩∇⇘Γ⇩2⇙ ⊆ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙› have "v ∈ V⇘𝒱⇩1⇙∩∇⇘Γ⇩1⇙"
by auto
moreover
from C2_equals_C1 ‹α↿C⇘𝒱⇩2⇙ = []› have "α↿C⇘𝒱⇩1⇙ = []"
by auto
moreover
from ‹Adm 𝒱⇩2 ρ⇩2 Tr⇘ES⇙ β c› ‹ρ⇩2(𝒱⇩2) ⊇ ρ⇩1(𝒱⇩1)› have "Adm 𝒱⇩1 ρ⇩1 Tr⇘ES⇙ β c"
by (simp add: Adm_implies_Adm_for_modified_rho)
ultimately
obtain α' δ' where "(set δ') ⊆ (N⇘𝒱⇩1⇙ ∩ Δ⇘Γ⇩1⇙)"
and "β @ [c] @ δ' @ [v] @ α' ∈ Tr⇘ES⇙"
and "α'↿V⇘𝒱⇩1⇙ = α↿V⇘𝒱⇩1⇙"
and "α'↿C⇘𝒱⇩1⇙ = []"
using ‹β @ [v] @ α ∈ Tr⇘ES⇙› ‹FCIA ρ⇩1 Γ⇩1 𝒱⇩1 Tr⇘ES⇙› unfolding FCIA_def by blast
from ‹(set δ') ⊆ (N⇘𝒱⇩1⇙ ∩ Δ⇘Γ⇩1⇙)› ‹N⇘𝒱⇩2⇙∩Δ⇘Γ⇩2⇙ ⊇ N⇘𝒱⇩1⇙∩Δ⇘Γ⇩1⇙›
have "(set δ') ⊆ (N⇘𝒱⇩2⇙ ∩ Δ⇘Γ⇩2⇙)"
by auto
moreover
from ‹α'↿V⇘𝒱⇩1⇙ = α↿V⇘𝒱⇩1⇙› V2_subset_V1 have "α'↿V⇘𝒱⇩2⇙ = α↿V⇘𝒱⇩2⇙"
using non_empty_projection_on_subset by blast
moreover
from ‹C⇘𝒱⇩2⇙ = C⇘𝒱⇩1⇙› ‹α'↿C⇘𝒱⇩1⇙ = []› have "α'↿C⇘𝒱⇩2⇙ = []"
by auto
ultimately
have "∃ δ' α'. (set δ') ⊆ (N⇘𝒱⇩2⇙ ∩ Δ⇘Γ⇩2⇙)
∧ β @ [c] @ δ'@ [v] @ α' ∈ Tr⇘ES⇙ ∧ α'↿V⇘𝒱⇩2⇙ = α↿V⇘𝒱⇩2⇙ ∧ α'↿C⇘𝒱⇩2⇙ = []"
using ‹β @ [c] @ δ' @ [v] @ α' ∈ Tr⇘ES⇙› by auto
}
thus ?thesis
unfolding FCIA_def by blast
qed
end
end
Theory PropertyLibrary
theory PropertyLibrary
imports InformationFlowProperties "../SystemSpecification/EventSystems" "../Verification/Basics/BSPTaxonomy"
begin
definition
HighInputsConfidential :: "'e set ⇒ 'e set ⇒ 'e set ⇒ 'e V_rec"
where
"HighInputsConfidential L H IE ≡ ⦇ V=L, N=H-IE, C=H ∩ IE ⦈"
definition HighConfidential :: "'e set ⇒ 'e set ⇒ 'e V_rec"
where
"HighConfidential L H ≡ ⦇ V=L, N={}, C=H ⦈"
fun interleaving :: "'e list ⇒ 'e list ⇒ ('e list) set"
where
"interleaving t1 [] = {t1}" |
"interleaving [] t2 = {t2}" |
"interleaving (e1 # t1) (e2 # t2) =
{t. (∃t'. t=(e1 # t') ∧ t' ∈ interleaving t1 (e2 #t2))}
∪ {t. (∃t'. t=(e2 # t') ∧ t' ∈ interleaving (e1 # t1) t2)}"
definition GNI :: "'e set ⇒ 'e set ⇒ 'e set ⇒ 'e IFP_type"
where
"GNI L H IE ≡ ( {HighInputsConfidential L H IE}, {BSD, BSI})"
lemma GNI_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (GNI L H IE)"
unfolding IFP_valid_def GNI_def HighInputsConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_BSD BasicSecurityPredicates.BSP_valid_BSI
by auto
definition litGNI :: "'e set ⇒ 'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litGNI L H IE Tr ≡
∀ t1 t2 t3.
t1 @ t2 ∈ Tr ∧ t3 ↿ (L ∪ (H - IE)) = t2 ↿ (L ∪ (H - IE))
⟶ (∃ t4. t1 @ t4 ∈ Tr ∧ t4↿(L ∪ (H ∩ IE)) = t3↿(L ∪ (H ∩ IE)))"
definition IBGNI :: "'e set ⇒ 'e set ⇒ 'e set ⇒ 'e IFP_type"
where "IBGNI L H IE ≡ ( {HighInputsConfidential L H IE}, {D, I})"
lemma IBGNI_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (IBGNI L H IE)"
unfolding IFP_valid_def IBGNI_def HighInputsConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_D BasicSecurityPredicates.BSP_valid_I
by auto
definition
litIBGNI :: "'e set ⇒ 'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litIBGNI L H IE Tr ≡
∀ τ_l ∈ Tr. ∀ t_hi t.
(set t_hi) ⊆ (H ∩ IE) ∧ t ∈ interleaving t_hi (τ_l ↿ L)
⟶ (∃ τ' ∈ Tr. τ' ↿ (L ∪ (H ∩ IE)) = t)"
definition FC :: "'e set ⇒ 'e set ⇒ 'e set ⇒ 'e IFP_type"
where
"FC L H IE ≡
( {HighInputsConfidential L H IE},
{BSD, BSI, (FCD ⦇ Nabla=IE, Delta={}, Upsilon=IE ⦈),
(FCI ⦇ Nabla=IE, Delta={}, Upsilon=IE ⦈ )})"
lemma FC_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (FC L H IE)"
unfolding IFP_valid_def FC_def HighInputsConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_BSD BasicSecurityPredicates.BSP_valid_BSI
BasicSecurityPredicates.BSP_valid_FCD BasicSecurityPredicates.BSP_valid_FCI
by auto
definition litFC :: "'e set ⇒ 'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litFC L H IE Tr ≡
∀t_1 t_2. ∀ hi ∈ (H ∩ IE).
(
(∀ li ∈ (L ∩ IE).
t_1 @ [li] @ t_2 ∈ Tr ∧ t_2 ↿ (H ∩ IE) = []
⟶ (∃ t_3. t_1 @ [hi] @ [li] @ t_3 ∈ Tr
∧ t_3 ↿ L = t_2 ↿ L ∧ t_3 ↿ (H ∩ IE) = [] ))
∧ (t_1 @ t_2 ∈ Tr ∧ t_2 ↿ (H ∩ IE) = []
⟶ (∃ t_3. t_1 @ [hi] @ t_3 ∈ Tr
∧ t_3 ↿ L = t_2 ↿ L ∧ t_3 ↿ (H ∩ IE) = [] ))
∧ (∀ li ∈ (L ∩ IE).
t_1 @ [hi] @ [li] @ t_2 ∈ Tr ∧ t_2 ↿ (H ∩ IE) = []
⟶ (∃ t_3. t_1 @ [li] @ t_3 ∈ Tr
∧ t_3 ↿ L = t_2 ↿ L ∧ t_3 ↿ (H ∩ IE) = [] ))
∧ (t_1 @ [hi] @ t_2 ∈ Tr ∧ t_2 ↿ (H ∩ IE) = []
⟶ (∃ t_3. t_1 @ t_3 ∈ Tr
∧ t_3 ↿ L = t_2 ↿ L ∧ t_3 ↿ (H ∩ IE) = [] ))
)"
definition NDO :: "'e set ⇒ 'e set ⇒ 'e set ⇒ 'e IFP_type"
where
"NDO UI L H ≡
( {HighConfidential L H}, {BSD, (BSIA (λ 𝒱. C⇘𝒱⇙ ∪ (V⇘𝒱⇙ ∩ UI)))})"
lemma NDO_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (NDO UI L H)"
unfolding IFP_valid_def NDO_def HighConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_BSD
BasicSecurityPredicates.BSP_valid_BSIA[of "(λ 𝒱. C⇘𝒱⇙ ∪ (V⇘𝒱⇙ ∩ UI))"]
by auto
definition litNDO :: "'e set ⇒ 'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litNDO UI L H Tr ≡
∀τ_l ∈ Tr. ∀ τ_hlui ∈ Tr. ∀ t.
t↿L = τ_l↿L ∧ t↿(H ∪ (L ∩ UI)) = τ_hlui↿(H ∪ (L ∩ UI)) ⟶ t ∈ Tr"
definition NF :: "'e set ⇒ 'e set ⇒ 'e IFP_type"
where
"NF L H ≡ ( {HighConfidential L H}, {R})"
lemma NF_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (NF L H)"
unfolding IFP_valid_def NF_def HighConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_R
by auto
definition litNF :: "'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litNF L H Tr ≡ ∀τ ∈ Tr. τ ↿ L ∈ Tr"
definition GNF :: "'e set ⇒ 'e set ⇒ 'e set ⇒ 'e IFP_type"
where
"GNF L H IE ≡ ( {HighInputsConfidential L H IE}, {R})"
lemma GNF_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (GNF L H IE)"
unfolding IFP_valid_def GNF_def HighInputsConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_R
by auto
definition litGNF :: "'e set ⇒ 'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litGNF L H IE Tr ≡
∀τ ∈ Tr. ∃τ' ∈ Tr. τ'↿ (H ∩ IE) = [] ∧ τ'↿ L = τ ↿ L"
definition SEP :: "'e set ⇒ 'e set ⇒ 'e IFP_type"
where
"SEP L H ≡ ( {HighConfidential L H}, {BSD, (BSIA (λ 𝒱. C⇘𝒱⇙))})"
lemma SEP_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (SEP L H)"
unfolding IFP_valid_def SEP_def HighConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_BSD
BasicSecurityPredicates.BSP_valid_BSIA[of "λ 𝒱. C⇘𝒱⇙"]
by auto
definition litSEP :: "'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litSEP L H Tr ≡
∀τ_l ∈ Tr. ∀ τ_h ∈ Tr.
interleaving (τ_l ↿ L) (τ_h ↿ H) ⊆ {τ ∈ Tr . τ ↿ L = τ_l ↿ L} "
definition PSP :: "'e set ⇒ 'e set ⇒ 'e IFP_type"
where
"PSP L H ≡
( {HighConfidential L H}, {BSD, (BSIA (λ 𝒱. C⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ V⇘𝒱⇙))})"
lemma PSP_valid: "L ∩ H = {} ⟹ IFP_valid (L ∪ H) (PSP L H)"
unfolding IFP_valid_def PSP_def HighConfidential_def isViewOn_def
V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
using BasicSecurityPredicates.BSP_valid_BSD
BasicSecurityPredicates.BSP_valid_BSIA[of "λ 𝒱. C⇘𝒱⇙ ∪ N⇘𝒱⇙ ∪ V⇘𝒱⇙"]
by auto
definition litPSP :: "'e set ⇒ 'e set ⇒ ('e list) set ⇒ bool"
where
"litPSP L H Tr ≡
(∀τ ∈ Tr. τ ↿ L ∈ Tr)
∧ (∀ α β. (β @ α) ∈ Tr ∧ (α ↿ H) = []
⟶ (∀ h ∈ H. β @ [h] ∈ Tr ⟶ β @ [h] @ α ∈ Tr))"
end
Theory SecureSystems
theory SecureSystems
imports "../../SystemSpecification/StateEventSystems"
"../../SecuritySpecification/InformationFlowProperties"
begin
locale SecureESIFP =
fixes ES :: "'e ES_rec"
and IFP :: "'e IFP_type"
assumes validES: "ES_valid ES"
and validIFPES: "IFP_valid E⇘ES⇙ IFP"
context SecureESIFP
begin
definition ES_sat_IFP :: "bool"
where
"ES_sat_IFP ≡ IFPIsSatisfied IFP Tr⇘ES⇙"
end
locale SecureSESIFP =
fixes SES :: "('s, 'e) SES_rec"
and IFP :: "'e IFP_type"
assumes validSES: "SES_valid SES"
and validIFPSES: "IFP_valid E⇘SES⇙ IFP"
sublocale SecureSESIFP ⊆ SecureESIFP "induceES SES" "IFP"
by (unfold_locales, rule induceES_yields_ES, rule validSES,
simp add: induceES_def, rule validIFPSES)
context SecureSESIFP
begin
abbreviation SES_sat_IFP
where
"SES_sat_IFP ≡ ES_sat_IFP"
end
end
Theory UnwindingConditions
theory UnwindingConditions
imports "../Basics/BSPTaxonomy"
"../../SystemSpecification/StateEventSystems"
begin
locale Unwinding =
fixes SES :: "('s, 'e) SES_rec"
and 𝒱 :: "'e V_rec"
assumes validSES: "SES_valid SES"
and validVU: "isViewOn 𝒱 E⇘SES⇙"
sublocale Unwinding ⊆ BSPTaxonomyDifferentCorrections "induceES SES" "𝒱"
by (unfold_locales, simp add: induceES_yields_ES validSES,
simp add: induceES_def validVU)
context Unwinding
begin
definition osc :: "'s rel ⇒ bool"
where
"osc ur ≡
∀s1 ∈ S⇘SES⇙. ∀s1' ∈ S⇘SES⇙. ∀s2' ∈ S⇘SES⇙. ∀e ∈ (E⇘SES⇙ - C⇘𝒱⇙).
(reachable SES s1 ∧ reachable SES s1'
∧ s1' e⟶⇘SES⇙ s2' ∧ (s1', s1) ∈ ur)
⟶ (∃s2 ∈ S⇘SES⇙. ∃δ. δ ↿ C⇘𝒱⇙ = [] ∧ δ ↿ V⇘𝒱⇙ = [e] ↿ V⇘𝒱⇙
∧ s1 δ⟹⇘SES⇙ s2 ∧ (s2', s2) ∈ ur)"
definition lrf :: "'s rel ⇒ bool"
where
"lrf ur ≡
∀s ∈ S⇘SES⇙. ∀s' ∈ S⇘SES⇙. ∀c ∈ C⇘𝒱⇙.
((reachable SES s ∧ s c⟶⇘SES⇙ s') ⟶ (s', s) ∈ ur)"
definition lrb :: "'s rel ⇒ bool"
where
"lrb ur ≡ ∀s ∈ S⇘SES⇙. ∀c ∈ C⇘𝒱⇙.
(reachable SES s ⟶ (∃s' ∈ S⇘SES⇙. (s c⟶⇘SES⇙ s' ∧ ((s, s') ∈ ur))))"
definition fcrf :: "'e Gamma ⇒ 's rel ⇒ bool"
where
"fcrf Γ ur ≡
∀c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙). ∀v ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙). ∀s ∈ S⇘SES⇙. ∀s' ∈ S⇘SES⇙.
((reachable SES s ∧ s ([c] @ [v])⟹⇘SES⇙ s')
⟶ (∃s'' ∈ S⇘SES⇙. ∃δ. (∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)) ∧
s (δ @ [v])⟹⇘SES⇙ s'' ∧ (s', s'') ∈ ur))"
definition fcrb :: "'e Gamma ⇒ 's rel ⇒ bool"
where
"fcrb Γ ur ≡
∀c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙). ∀v ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙). ∀s ∈ S⇘SES⇙. ∀s'' ∈ S⇘SES⇙.
((reachable SES s ∧ s v⟶⇘SES⇙ s'')
⟶ (∃s' ∈ S⇘SES⇙. ∃δ. (∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)) ∧
s ([c] @ δ @ [v])⟹⇘SES⇙ s' ∧ (s'', s') ∈ ur))"
definition En :: "'e Rho ⇒ 's ⇒ 'e ⇒ bool"
where
"En ρ s e ≡
∃β γ. ∃s' ∈ S⇘SES⇙. ∃s'' ∈ S⇘SES⇙.
s0⇘SES⇙ β⟹⇘SES⇙ s ∧ (γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱))
∧ s0⇘SES⇙ γ⟹⇘SES⇙ s' ∧ s' e⟶⇘SES⇙ s''"
definition lrbe :: "'e Rho ⇒ 's rel ⇒ bool"
where
"lrbe ρ ur ≡
∀s ∈ S⇘SES⇙. ∀c ∈ C⇘𝒱⇙ .
((reachable SES s ∧ (En ρ s c))
⟶ (∃s' ∈ S⇘SES⇙. (s c⟶⇘SES⇙ s' ∧ (s, s') ∈ ur)))"
definition fcrbe :: "'e Gamma ⇒ 'e Rho ⇒ 's rel ⇒ bool"
where
"fcrbe Γ ρ ur ≡
∀c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙). ∀v ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙). ∀s ∈ S⇘SES⇙. ∀s'' ∈ S⇘SES⇙.
((reachable SES s ∧ s v⟶⇘SES⇙ s'' ∧ (En ρ s c))
⟶ (∃s' ∈ S⇘SES⇙. ∃δ. (∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)) ∧
s ([c] @ δ @ [v])⟹⇘SES⇙ s' ∧ (s'', s') ∈ ur))"
end
end
Theory AuxiliaryLemmas
theory AuxiliaryLemmas
imports UnwindingConditions
begin
context Unwinding
begin
lemma osc_property:
"⋀s1 s1'. ⟦ osc ur; s1 ∈ S⇘SES⇙; s1' ∈ S⇘SES⇙; α ↿ C⇘𝒱⇙ = [];
reachable SES s1; reachable SES s1'; enabled SES s1' α; (s1', s1) ∈ ur ⟧
⟹ (∃α'. α' ↿ C⇘𝒱⇙ = [] ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ enabled SES s1 α')"
proof (induct α)
case Nil
have "[] ↿ C⇘𝒱⇙ = [] ∧
[] ↿ V⇘𝒱⇙ = [] ↿ V⇘𝒱⇙ ∧ enabled SES s1 []"
by (simp add: enabled_def projection_def)
thus ?case by (rule exI)
next
case (Cons e1 α1)
assume osc_true: "osc ur"
assume s1_in_S: "s1 ∈ S⇘SES⇙"
assume s1'_in_S: "s1' ∈ S⇘SES⇙"
assume e1α1_C_empty: "(e1 # α1) ↿ C⇘𝒱⇙ = []"
assume reachable_s1: "reachable SES s1"
assume reachable_s1': "reachable SES s1'"
assume enabled_s1'_e1α1: "enabled SES s1' (e1 # α1)"
assume unwindingrel_s1'_s1: "(s1', s1) ∈ ur"
have e1α1_no_c: "∀a ∈ (set (e1 # α1)). a ∈ (E⇘SES⇙ - C⇘𝒱⇙)"
proof -
from reachable_s1' obtain β
where "s0⇘SES⇙ β⟹⇘SES⇙ s1'"
by(simp add: reachable_def, auto)
moreover
from enabled_s1'_e1α1 obtain s1337
where "s1' (e1 # α1)⟹⇘SES⇙ s1337"
by(simp add: enabled_def, auto)
ultimately have "s0⇘SES⇙ (β @ (e1 # α1))⟹⇘SES⇙ s1337"
by(rule path_trans)
hence "β @ (e1 # α1) ∈ Tr⇘(induceES SES)⇙"
by (simp add: induceES_def possible_traces_def enabled_def)
with validSES induceES_yields_ES[of "SES"] have "∀a ∈ (set (β @ (e1 # α1))). a ∈ E⇘SES⇙"
by (simp add: induceES_def ES_valid_def traces_contain_events_def)
hence "∀ a ∈ (set (e1 # α1)). a ∈ E⇘SES⇙"
by auto
with e1α1_C_empty show ?thesis
by (simp only: projection_def filter_empty_conv, auto)
qed
from enabled_s1'_e1α1 obtain s2' where
s1'_e1_s2': "s1' e1⟶⇘SES⇙ s2'"
by (simp add: enabled_def, split if_split_asm, auto)
with validSES have s2'_in_S: "s2' ∈ S⇘SES⇙"
by (simp add: SES_valid_def correct_transition_relation_def)
have reachable_s2': "reachable SES s2'"
proof -
from reachable_s1' obtain t where
path_to_s1': "s0⇘SES⇙ t⟹⇘SES⇙ s1'"
by (simp add: reachable_def, auto)
from s1'_e1_s2' have "s1' [e1]⟹⇘SES⇙ s2'"
by simp
with path_to_s1' have "s0⇘SES⇙ (t @ [e1])⟹⇘SES⇙ s2'"
by (simp add: path_trans)
thus ?thesis by (simp add: reachable_def, rule exI)
qed
from s1'_e1_s2' enabled_s1'_e1α1 obtain sn' where
"s2' α1⟹⇘SES⇙ sn'"
by (simp add: enabled_def, auto)
hence enabled_s2'_α1: "enabled SES s2' α1"
by (simp add: enabled_def)
from e1α1_no_c have e1_no_c: "e1 ∈ (E⇘SES⇙ - C⇘𝒱⇙)"
by simp
from e1α1_no_c have α1_no_c: "∀a∈(set α1). (a ∈ (E⇘SES⇙ - C⇘𝒱⇙))"
by simp
hence α1_proj_C_empty: "α1 ↿ C⇘𝒱⇙ = []"
by (simp add: projection_def)
from osc_true have
"⟦ s1 ∈ S⇘SES⇙; s1' ∈ S⇘SES⇙; s2' ∈ S⇘SES⇙;
e1 ∈ (E⇘SES⇙ - C⇘𝒱⇙); reachable SES s1; reachable SES s1';
s1' e1⟶⇘SES⇙ s2'; (s1', s1) ∈ ur ⟧
⟹ (∃s2 ∈ S⇘SES⇙. ∃δ. δ ↿ C⇘𝒱⇙ = []
∧ (δ ↿ V⇘𝒱⇙) = ([e1] ↿ V⇘𝒱⇙) ∧ (s1 δ⟹⇘SES⇙ s2 ∧
((s2', s2) ∈ ur)))"
by (simp add: osc_def)
with s1_in_S s1'_in_S e1_no_c reachable_s1 reachable_s1'
s2'_in_S s1'_e1_s2' unwindingrel_s1'_s1
obtain s2 δ where
osc_conclusion:
"s2 ∈ S⇘SES⇙ ∧ δ ↿ C⇘𝒱⇙ = [] ∧
(δ ↿ V⇘𝒱⇙) = ([e1] ↿ V⇘𝒱⇙) ∧ s1 δ⟹⇘SES⇙ s2 ∧
((s2', s2) ∈ ur)"
by auto
hence δ_proj_C_empty: "δ ↿ C⇘𝒱⇙ = []"
by (simp add: projection_def)
from osc_conclusion have s2_in_S: "s2 ∈ S⇘SES⇙"
by auto
from osc_conclusion have unwindingrel_s2'_s2: "(s2', s2) ∈ ur"
by auto
have reachable_s2: "reachable SES s2"
proof -
from reachable_s1 obtain t where
path_to_s1: "s0⇘SES⇙ t⟹⇘SES⇙ s1"
by (simp add: reachable_def, auto)
from osc_conclusion have "s1 δ⟹⇘SES⇙ s2"
by auto
with path_to_s1 have "s0⇘SES⇙ (t @ δ)⟹⇘SES⇙ s2"
by (simp add: path_trans)
thus ?thesis by (simp add: reachable_def, rule exI)
qed
from Cons osc_true s2_in_S s2'_in_S α1_proj_C_empty
reachable_s2 reachable_s2' enabled_s2'_α1 unwindingrel_s2'_s2
obtain α'' where α''_props:
"α'' ↿ C⇘𝒱⇙ = [] ∧ α'' ↿ V⇘𝒱⇙ = α1 ↿ V⇘𝒱⇙ ∧ enabled SES s2 α''"
by auto
with osc_conclusion have δα''_props:
"(δ @ α'') ↿ C⇘𝒱⇙ = [] ∧
(δ @ α'') ↿ V⇘𝒱⇙ = (e1#α1) ↿ V⇘𝒱⇙ ∧ enabled SES s1 (δ @ α'')"
by (simp add: projection_def enabled_def, auto, simp add: path_trans)
hence "(δ @ α'') ↿ C⇘𝒱⇙ = []"
by (simp add: projection_def)
thus ?case using δα''_props by auto
qed
lemma path_state_closure: "⟦ s τ⟹⇘SES⇙ s'; s ∈ S⇘SES⇙ ⟧ ⟹ s' ∈ S⇘SES⇙"
(is "⟦ ?P s τ s'; ?S s SES ⟧ ⟹ ?S s' SES ")
proof (induct τ arbitrary: s s')
case Nil with validSES show ?case
by (auto simp add: SES_valid_def correct_transition_relation_def)
next
case (Cons e τ) thus ?case
proof -
assume path_eτ: "?P s (e # τ) s'"
assume induct_hypo: "⋀ s s'. ⟦ ?P s τ s'; ?S s SES ⟧ ⟹ ?S s' SES"
from path_eτ obtain s'' where s_e_s'': "s e⟶⇘SES⇙ s''"
by(simp add: path_def, split if_split_asm, auto)
with validSES have s''_in_S: "?S s'' SES"
by (simp add: SES_valid_def correct_transition_relation_def)
from s_e_s'' path_eτ have path_τ: "?P s'' τ s'" by auto
from path_τ s''_in_S show ?case by (rule induct_hypo)
qed
qed
theorem En_to_Adm:
"⟦ reachable SES s; En ρ s e⟧
⟹ ∃β. ( s0⇘SES⇙ β⟹⇘SES⇙ s ∧ Adm 𝒱 ρ Tr⇘(induceES SES)⇙ β e )"
proof -
assume "En ρ s e"
then obtain β γ s' s''
where "s0⇘SES⇙ β⟹⇘SES⇙ s"
and "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and s0_γ_s': "s0⇘SES⇙ γ⟹⇘SES⇙ s'"
and s'_e_s'': "s' e⟶⇘SES⇙ s''"
by (simp add: En_def, auto)
moreover
from s0_γ_s' s'_e_s'' have "s0⇘SES⇙ (γ @ [e])⟹⇘SES⇙ s''"
by (rule path_trans_single)
hence "(γ @ [e]) ∈ Tr⇘(induceES SES)⇙"
by(simp add: induceES_def possible_traces_def enabled_def)
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
theorem Adm_to_En:
"⟦ β ∈ Tr⇘(induceES SES)⇙; Adm 𝒱 ρ Tr⇘(induceES SES)⇙ β e ⟧
⟹ ∃s ∈ S⇘SES⇙. (s0⇘SES⇙ β⟹⇘SES⇙ s ∧ En ρ s e)"
proof -
from validSES have s0_in_S: "s0⇘SES⇙ ∈ S⇘SES⇙"
by (simp add: SES_valid_def s0_is_state_def)
assume "β ∈ Tr⇘(induceES SES)⇙"
then obtain s
where s0_β_s: "s0⇘SES⇙ β⟹⇘SES⇙ s"
by (simp add: induceES_def possible_traces_def enabled_def, auto)
from this have s_in_S: "s ∈ S⇘SES⇙" using s0_in_S
by (rule path_state_closure)
assume "Adm 𝒱 ρ Tr⇘(induceES SES)⇙ β e"
then obtain γ
where ργ_is_ρβ: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and "∃s''. s0⇘SES⇙ (γ @ [e])⟹⇘SES⇙ s''"
by(simp add: Adm_def induceES_def possible_traces_def enabled_def, auto)
then obtain s''
where s0_γe_s'': "s0⇘SES⇙ (γ @ [e])⟹⇘SES⇙ s''"
by auto
from this have s''_in_S: "s'' ∈ S⇘SES⇙" using s0_in_S
by (rule path_state_closure)
from path_split_single[OF s0_γe_s''] obtain s'
where s0_γ_s': "s0⇘SES⇙ γ⟹⇘SES⇙ s'"
and s'_e_s'': "s' e⟶⇘SES⇙ s''"
by auto
from path_state_closure[OF s0_γ_s' s0_in_S] have s'_in_S: "s' ∈ S⇘SES⇙".
from s'_in_S s''_in_S s0_β_s ργ_is_ρβ s0_γ_s' s'_e_s'' s_in_S show ?thesis
by (simp add: En_def, auto)
qed
lemma state_from_induceES_trace:
"⟦ (β @ α) ∈ Tr⇘(induceES SES)⇙ ⟧
⟹ ∃s ∈ S⇘SES⇙. s0⇘SES⇙ β⟹⇘SES⇙ s ∧ enabled SES s α ∧ reachable SES s"
proof -
assume βα_in_Tr: "(β @ α) ∈ Tr⇘(induceES SES)⇙"
then obtain s' where s0_βα_s':"s0⇘SES⇙ (β @ α)⟹⇘SES⇙ s'"
by (simp add: induceES_def possible_traces_def enabled_def, auto)
from path_split[OF s0_βα_s'] obtain s
where s0_β_s: "s0⇘SES⇙ β⟹⇘SES⇙ s"
and "s α⟹⇘SES⇙ s'"
by auto
hence enabled_s_α: "enabled SES s α"
by (simp add: enabled_def)
from s0_β_s have reachable_s: "reachable SES s"
by(simp add: reachable_def, auto)
from validSES have "s0⇘SES⇙ ∈ S⇘SES⇙"
by (simp add: SES_valid_def s0_is_state_def)
with s0_β_s have s_in_S: "s ∈ S⇘SES⇙"
by (rule path_state_closure)
with s0_β_s enabled_s_α reachable_s show ?thesis
by auto
qed
lemma path_split2:"s0⇘SES⇙ (β @ α)⟹⇘SES⇙ s
⟹ ∃s' ∈ S⇘SES⇙. ( s0⇘SES⇙ β⟹⇘SES⇙ s' ∧ s' α⟹⇘SES⇙ s ∧ reachable SES s' )"
proof -
assume s0_βα_s: "s0⇘SES⇙ (β @ α)⟹⇘SES⇙ s"
from path_split[OF s0_βα_s] obtain s'
where s0_β_s': "s0⇘SES⇙ β⟹⇘SES⇙ s'"
and s'_α_s: "s' α⟹⇘SES⇙ s"
by auto
hence "reachable SES s'"
by(simp add: reachable_def, auto)
moreover
have "s' ∈ S⇘SES⇙"
proof -
from s0_β_s' validSES path_state_closure show ?thesis
by (auto simp add: SES_valid_def s0_is_state_def)
qed
ultimately show ?thesis using s'_α_s s0_β_s'
by(auto)
qed
lemma path_split_single2:
"s0⇘SES⇙ (β @ [x])⟹⇘SES⇙ s
⟹ ∃s' ∈ S⇘SES⇙. ( s0⇘SES⇙ β⟹⇘SES⇙ s' ∧ s' x⟶⇘SES⇙ s ∧ reachable SES s' )"
proof -
assume s0_βx_s: "s0⇘SES⇙ (β @ [x])⟹⇘SES⇙ s"
from path_split2[OF s0_βx_s] show ?thesis
by (auto, split if_split_asm, auto)
qed
lemma modified_view_valid: "isViewOn ⦇V = (V⇘𝒱⇙ ∪ N⇘𝒱⇙), N = {}, C = C⇘𝒱⇙⦈ E⇘SES⇙"
using validVU
unfolding isViewOn_def V_valid_def VC_disjoint_def VN_disjoint_def NC_disjoint_def by auto
end
end
Theory UnwindingResults
theory UnwindingResults
imports AuxiliaryLemmas
begin
context Unwinding
begin
theorem unwinding_theorem_BSD:
"⟦ lrf ur; osc ur ⟧ ⟹ BSD 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume lrf_true: "lrf ur"
assume osc_true: "osc ur"
{
fix α β c
assume c_in_C: "c ∈ C⇘𝒱⇙"
assume βcα_in_Tr: "((β @ [c]) @ α) ∈ Tr⇘(induceES SES)⇙"
assume α_contains_no_c: "α ↿ C⇘𝒱⇙ = []"
from state_from_induceES_trace[OF βcα_in_Tr] obtain s1'
where s1'_in_S: "s1' ∈ S⇘SES⇙"
and enabled_s1'_α: "enabled SES s1' α"
and s0_βc_s1': "s0⇘SES⇙ (β @ [c])⟹⇘SES⇙ s1'"
and reachable_s1': "reachable SES s1'"
by auto
from path_split_single2[OF s0_βc_s1'] obtain s1
where s1_in_S: "s1 ∈ S⇘SES⇙"
and s0_β_s1: "s0⇘SES⇙ β⟹⇘SES⇙ s1"
and s1_c_s1': "s1 c⟶⇘SES⇙ s1'"
and reachable_s1: "reachable SES s1"
by auto
from s1_in_S s1'_in_S c_in_C reachable_s1 s1_c_s1' lrf_true
have s1'_ur_s1: "((s1', s1) ∈ ur)"
by (simp add: lrf_def, auto)
from osc_property[OF osc_true s1_in_S s1'_in_S α_contains_no_c reachable_s1
reachable_s1' enabled_s1'_α s1'_ur_s1]
obtain α'
where α'_contains_no_c: "α' ↿ C⇘𝒱⇙ = []"
and α'_V_is_α_V: "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and enabled_s1_α': "enabled SES s1 α'"
by auto
have βα'_in_Tr: "β @ α' ∈ Tr⇘(induceES SES)⇙"
proof -
note s0_β_s1
moreover
from enabled_s1_α' obtain s2
where "s1 α'⟹⇘SES⇙ s2"
by (simp add: enabled_def, auto)
ultimately have "s0⇘SES⇙ (β @ α') ⟹⇘SES⇙ s2"
by (rule path_trans)
thus ?thesis
by (simp add: induceES_def possible_traces_def enabled_def)
qed
from βα'_in_Tr α'_V_is_α_V α'_contains_no_c have
"∃α'. ((β @ α') ∈ (Tr⇘(induceES SES)⇙) ∧ (α' ↿ (V⇘𝒱⇙)) = (α ↿ V⇘𝒱⇙) ∧ α' ↿ C⇘𝒱⇙ = [])"
by auto
}
thus ?thesis
by (simp add: BSD_def)
qed
theorem unwinding_theorem_BSI:
"⟦ lrb ur; osc ur ⟧ ⟹ BSI 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume lrb_true: "lrb ur"
assume osc_true: "osc ur"
{
fix α β c
assume c_in_C: "c ∈ C⇘𝒱⇙"
assume βα_in_ind_Tr: "(β @ α) ∈ Tr⇘(induceES SES)⇙"
assume α_contains_no_c: "α ↿ C⇘𝒱⇙ = []"
from state_from_induceES_trace[OF βα_in_ind_Tr] obtain s1
where s1_in_S : "s1 ∈ S⇘SES⇙"
and path_β_yields_s1: "s0⇘SES⇙ β⟹⇘SES⇙ s1"
and enabled_s1_α: "enabled SES s1 α"
and reachable_s1: "reachable SES s1"
by auto
from reachable_s1 s1_in_S c_in_C lrb_true
have "∃s1'∈ S⇘SES⇙. s1 c⟶⇘SES⇙ s1' ∧ (s1, s1') ∈ ur"
by(simp add: lrb_def)
then obtain s1'
where s1'_in_S: "s1' ∈ S⇘SES⇙"
and s1_trans_c_s1': "s1 c⟶⇘SES⇙ s1'"
and s1_s1'_in_ur: "(s1, s1') ∈ ur"
by auto
have reachable_s1': "reachable SES s1'"
proof -
from path_β_yields_s1 s1_trans_c_s1' have "s0⇘SES⇙ (β @ [c])⟹⇘SES⇙ s1'"
by (rule path_trans_single)
thus ?thesis by (simp add: reachable_def, auto)
qed
from osc_property[OF osc_true s1'_in_S s1_in_S α_contains_no_c
reachable_s1' reachable_s1 enabled_s1_α s1_s1'_in_ur]
obtain α'
where α'_contains_no_c: "α' ↿ C⇘𝒱⇙ = []"
and α'_V_is_α_V: "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and enabled_s1'_α': "enabled SES s1' α'"
by auto
have βcα'_in_ind_Tr: "β @ [c] @ α' ∈ Tr⇘(induceES SES)⇙"
proof -
from path_β_yields_s1 s1_trans_c_s1' have "s0⇘SES⇙ (β @ [c])⟹⇘SES⇙ s1'"
by (rule path_trans_single)
moreover
from enabled_s1'_α' obtain s2
where "s1' α'⟹⇘SES⇙ s2"
by (simp add: enabled_def, auto)
ultimately have "s0⇘SES⇙ ((β @ [c]) @ α')⟹⇘SES⇙ s2"
by (rule path_trans)
thus ?thesis
by (simp add: induceES_def possible_traces_def enabled_def)
qed
from βcα'_in_ind_Tr α'_V_is_α_V α'_contains_no_c
have "∃α'. β @ c # α' ∈ Tr⇘(induceES SES)⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
by auto
}
thus ?thesis
by(simp add: BSI_def)
qed
theorem unwinding_theorem_BSIA:
"⟦ lrbe ρ ur; osc ur ⟧ ⟹ BSIA ρ 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume lrbe_true: "lrbe ρ ur"
assume osc_true: "osc ur"
{
fix α β c
assume c_in_C: "c ∈ C⇘𝒱⇙"
assume βα_in_ind_Tr: "(β @ α) ∈ Tr⇘(induceES SES)⇙"
assume α_contains_no_c: "α ↿ C⇘𝒱⇙ = []"
assume adm: "Adm 𝒱 ρ Tr⇘(induceES SES)⇙ β c"
from state_from_induceES_trace[OF βα_in_ind_Tr]
obtain s1
where s1_in_S : "s1 ∈ S⇘SES⇙"
and s0_β_s1: "s0⇘SES⇙ β⟹⇘SES⇙ s1"
and enabled_s1_α: "enabled SES s1 α"
and reachable_s1: "reachable SES s1"
by auto
have "∃α'. β @ [c] @ α' ∈ Tr⇘(induceES SES)⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
proof cases
assume en: "En ρ s1 c"
from reachable_s1 s1_in_S c_in_C en lrbe_true
have "∃s1'∈ S⇘SES⇙. s1 c⟶⇘SES⇙ s1' ∧ (s1, s1') ∈ ur"
by(simp add: lrbe_def)
then obtain s1'
where s1'_in_S: "s1' ∈ S⇘SES⇙"
and s1_trans_c_s1': "s1 c⟶⇘SES⇙ s1'"
and s1_s1'_in_ur: "(s1, s1') ∈ ur"
by auto
have reachable_s1': "reachable SES s1'"
proof -
from s0_β_s1 s1_trans_c_s1' have "s0⇘SES⇙ (β @ [c])⟹⇘SES⇙ s1'"
by (rule path_trans_single)
thus ?thesis by (simp add: reachable_def, auto)
qed
from osc_property[OF osc_true s1'_in_S s1_in_S α_contains_no_c
reachable_s1' reachable_s1 enabled_s1_α s1_s1'_in_ur]
obtain α'
where α'_contains_no_c: "α' ↿ C⇘𝒱⇙ = []"
and α'_V_is_α_V: "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and enabled_s1'_α': "enabled SES s1' α'"
by auto
have βcα'_in_ind_Tr: "β @ [c] @ α' ∈ Tr⇘(induceES SES)⇙"
proof -
from s0_β_s1 s1_trans_c_s1' have "s0⇘SES⇙ (β @ [c])⟹⇘SES⇙ s1'"
by (rule path_trans_single)
moreover
from enabled_s1'_α' obtain s2
where "s1' α'⟹⇘SES⇙ s2"
by (simp add: enabled_def, auto)
ultimately have "s0⇘SES⇙ ((β @ [c]) @ α')⟹⇘SES⇙ s2"
by (rule path_trans)
thus ?thesis
by (simp add: induceES_def possible_traces_def enabled_def)
qed
from βcα'_in_ind_Tr α'_V_is_α_V α'_contains_no_c show ?thesis
by auto
next
assume not_en: "¬ En ρ s1 c"
let ?A = "(Adm 𝒱 ρ (Tr⇘(induceES SES)⇙) β c)"
let ?E = "∃s ∈ S⇘SES⇙. (s0⇘SES⇙ β⟹⇘SES⇙ s ∧ En ρ s c)"
{
assume adm: "?A"
from s0_β_s1 have β_in_Tr: "β ∈ Tr⇘(induceES SES)⇙"
by (simp add: induceES_def possible_traces_def enabled_def)
from β_in_Tr adm have "?E"
by (rule Adm_to_En)
}
hence Adm_to_En_contr: "¬ ?E ⟹ ¬ ?A"
by blast
with s1_in_S s0_β_s1 not_en have not_adm: "¬ ?A"
by auto
with adm show ?thesis
by auto
qed
}
thus ?thesis
by (simp add: BSIA_def)
qed
theorem unwinding_theorem_FCD:
"⟦ fcrf Γ ur; osc ur ⟧ ⟹ FCD Γ 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume fcrf: "fcrf Γ ur"
assume osc: "osc ur"
{
fix α β c v
assume c_in_C_inter_Y: "c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙)"
assume v_in_V_inter_Nabla: "v ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙)"
assume βcvα_in_Tr: "((β @ [c] @ [v]) @ α) ∈ Tr⇘(induceES SES)⇙"
assume α_contains_no_c: "α ↿ C⇘𝒱⇙ = []"
from state_from_induceES_trace[OF βcvα_in_Tr] obtain s1'
where s1'_in_S: "s1' ∈ S⇘SES⇙"
and s0_βcv_s1': "s0⇘SES⇙ (β @ ([c] @ [v]))⟹⇘SES⇙ s1'"
and enabled_s1'_α: "enabled SES s1' α"
and reachable_s1': "reachable SES s1'"
by auto
from path_split2[OF s0_βcv_s1'] obtain s1
where s1_in_S: "s1 ∈ S⇘SES⇙"
and s0_β_s1: "s0⇘SES⇙ β⟹⇘SES⇙ s1"
and s1_cv_s1': "s1 ([c] @ [v])⟹⇘SES⇙ s1'"
and reachable_s1: "reachable SES s1"
by (auto)
from c_in_C_inter_Y v_in_V_inter_Nabla s1_in_S s1'_in_S reachable_s1 s1_cv_s1' fcrf
have "∃s1'' ∈ S⇘SES⇙. ∃δ. (∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)) ∧
s1 (δ @ [v])⟹⇘SES⇙ s1'' ∧ (s1', s1'') ∈ ur"
by (simp add: fcrf_def)
then obtain s1'' δ
where s1''_in_S: "s1'' ∈ S⇘SES⇙"
and δ_in_N_inter_Delta_star: "(∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙))"
and s1_δv_s1'': "s1 (δ @ [v])⟹⇘SES⇙ s1''"
and s1'_ur_s1'': "(s1', s1'') ∈ ur"
by auto
have reachable_s1'': "reachable SES s1''"
proof -
from s0_β_s1 s1_δv_s1'' have "s0⇘SES⇙ (β @ (δ @ [v]))⟹⇘SES⇙ s1''"
by (rule path_trans)
thus ?thesis
by (simp add: reachable_def, auto)
qed
from osc_property[OF osc s1''_in_S s1'_in_S α_contains_no_c
reachable_s1'' reachable_s1' enabled_s1'_α s1'_ur_s1'']
obtain α'
where α'_contains_no_c: "α' ↿ C⇘𝒱⇙ = []"
and α'_V_is_α_V: "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and enabled_s1''_α': "enabled SES s1'' α'"
by auto
have βδvα'_in_Tr: "β @ δ @ [v] @ α' ∈ Tr⇘(induceES SES)⇙"
proof -
from s0_β_s1 s1_δv_s1'' have "s0⇘SES⇙ (β @ δ @ [v])⟹⇘SES⇙ s1''"
by (rule path_trans)
moreover
from enabled_s1''_α' obtain s2
where "s1'' α'⟹⇘SES⇙ s2"
by (simp add: enabled_def, auto)
ultimately have "s0⇘SES⇙ ((β @ δ @ [v]) @ α')⟹⇘SES⇙ s2"
by (rule path_trans)
thus ?thesis
by (simp add: induceES_def possible_traces_def enabled_def)
qed
from δ_in_N_inter_Delta_star βδvα'_in_Tr α'_V_is_α_V α'_contains_no_c
have "∃α'. ∃δ'. set δ' ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ β @ δ' @ [v] @ α' ∈ Tr⇘(induceES SES)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
by auto
}
thus ?thesis
by (simp add: FCD_def)
qed
theorem unwinding_theorem_FCI:
"⟦ fcrb Γ ur; osc ur ⟧ ⟹ FCI Γ 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume fcrb: "fcrb Γ ur"
assume osc: "osc ur"
{
fix α β c v
assume c_in_C_inter_Y: "c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙)"
assume v_in_V_inter_Nabla: "v ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙)"
assume βvα_in_Tr: "((β @ [v]) @ α) ∈ Tr⇘(induceES SES)⇙"
assume α_contains_no_c: "α ↿ C⇘𝒱⇙ = []"
from state_from_induceES_trace[OF βvα_in_Tr] obtain s1''
where s1''_in_S: "s1'' ∈ S⇘SES⇙"
and s0_βv_s1'': "s0⇘SES⇙ (β @ [v]) ⟹⇘SES⇙ s1''"
and enabled_s1''_α: "enabled SES s1'' α"
and reachable_s1'': "reachable SES s1''"
by auto
from path_split_single2[OF s0_βv_s1''] obtain s1
where s1_in_S: "s1 ∈ S⇘SES⇙"
and s0_β_s1: "s0⇘SES⇙ β⟹⇘SES⇙ s1"
and s1_v_s1'': "s1 v⟶⇘SES⇙ s1''"
and reachable_s1: "reachable SES s1"
by (auto)
from c_in_C_inter_Y v_in_V_inter_Nabla s1_in_S
s1''_in_S reachable_s1 s1_v_s1'' fcrb
have "∃s1' ∈ S⇘SES⇙. ∃δ. (∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙))
∧ s1 ([c] @ δ @ [v])⟹⇘SES⇙ s1'
∧ (s1'', s1') ∈ ur"
by (simp add: fcrb_def)
then obtain s1' δ
where s1'_in_S: "s1' ∈ S⇘SES⇙"
and δ_in_N_inter_Delta_star: "(∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙))"
and s1_cδv_s1': "s1 ([c] @ δ @ [v])⟹⇘SES⇙ s1'"
and s1''_ur_s1': "(s1'', s1') ∈ ur"
by auto
have reachable_s1': "reachable SES s1'"
proof -
from s0_β_s1 s1_cδv_s1' have "s0⇘SES⇙ (β @ ([c] @ δ @ [v]))⟹⇘SES⇙ s1'"
by (rule path_trans)
thus ?thesis
by (simp add: reachable_def, auto)
qed
from osc_property[OF osc s1'_in_S s1''_in_S α_contains_no_c
reachable_s1' reachable_s1'' enabled_s1''_α s1''_ur_s1']
obtain α'
where α'_contains_no_c: "α' ↿ C⇘𝒱⇙ = []"
and α'_V_is_α_V: "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and enabled_s1'_α': "enabled SES s1' α'"
by auto
have βcδvα'_in_Tr: "β @ [c] @ δ @ [v] @ α' ∈ Tr⇘(induceES SES)⇙"
proof -
let ?l1 = "β @ [c] @ δ @ [v]"
let ?l2 = "α'"
from s0_β_s1 s1_cδv_s1' have "s0⇘SES⇙ (?l1)⟹⇘SES⇙ s1'"
by (rule path_trans)
moreover
from enabled_s1'_α' obtain s1337 where "s1' ?l2 ⟹⇘SES⇙ s1337"
by (simp add: enabled_def, auto)
ultimately have "s0⇘SES⇙ (?l1 @ ?l2)⟹⇘SES⇙ s1337"
by (rule path_trans)
thus ?thesis
by (simp add: induceES_def possible_traces_def enabled_def)
qed
from δ_in_N_inter_Delta_star βcδvα'_in_Tr α'_V_is_α_V α'_contains_no_c
have "∃α' δ'.
set δ' ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ β @ [c] @ δ' @ [v] @ α' ∈ Tr⇘(induceES SES)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
by auto
}
thus ?thesis
by(simp add: FCI_def)
qed
theorem unwinding_theorem_FCIA:
"⟦ fcrbe Γ ρ ur; osc ur ⟧ ⟹ FCIA ρ Γ 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume fcrbe: "fcrbe Γ ρ ur"
assume osc: "osc ur"
{
fix α β c v
assume c_in_C_inter_Y: "c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙)"
assume v_in_V_inter_Nabla: "v ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙)"
assume βvα_in_Tr: "((β @ [v]) @ α) ∈ Tr⇘(induceES SES)⇙"
assume α_contains_no_c: "α ↿ C⇘𝒱⇙ = []"
assume adm: "Adm 𝒱 ρ Tr⇘(induceES SES)⇙ β c"
from state_from_induceES_trace[OF βvα_in_Tr] obtain s1''
where s1''_in_S: "s1'' ∈ S⇘SES⇙"
and s0_βv_s1'': "s0⇘SES⇙ (β @ [v])⟹⇘SES⇙ s1''"
and enabled_s1''_α: "enabled SES s1'' α"
and reachable_s1'': "reachable SES s1''"
by auto
from path_split_single2[OF s0_βv_s1''] obtain s1
where s1_in_S: "s1 ∈ S⇘SES⇙"
and s0_β_s1: "s0⇘SES⇙ β⟹⇘SES⇙ s1"
and s1_v_s1'': "s1 v⟶⇘SES⇙ s1''"
and reachable_s1: "reachable SES s1"
by (auto)
have "∃α' δ'.(set δ' ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙) ∧ β @ [c] @ δ' @ [v] @ α' ∈ Tr⇘(induceES SES)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
proof (cases)
assume en: "En ρ s1 c"
from c_in_C_inter_Y v_in_V_inter_Nabla s1_in_S s1''_in_S reachable_s1 s1_v_s1'' en fcrbe
have "∃s1' ∈ S⇘SES⇙. ∃δ. (∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙))
∧ s1 ([c] @ δ @ [v]) ⟹⇘SES⇙ s1'
∧ (s1'', s1') ∈ ur"
by (simp add: fcrbe_def)
then obtain s1' δ
where s1'_in_S: "s1' ∈ S⇘SES⇙"
and δ_in_N_inter_Delta_star: "(∀d ∈ (set δ). d ∈ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙))"
and s1_cδv_s1': "s1 ([c] @ δ @ [v]) ⟹⇘SES⇙ s1'"
and s1''_ur_s1': "(s1'', s1') ∈ ur"
by (auto)
have reachable_s1': "reachable SES s1'"
proof -
from s0_β_s1 s1_cδv_s1' have "s0⇘SES⇙ (β @ ([c] @ δ @ [v]))⟹⇘SES⇙ s1'"
by (rule path_trans)
thus ?thesis
by (simp add: reachable_def, auto)
qed
from osc_property[OF osc s1'_in_S s1''_in_S α_contains_no_c reachable_s1'
reachable_s1'' enabled_s1''_α s1''_ur_s1']
obtain α'
where α'_contains_no_c: "α' ↿ C⇘𝒱⇙ = []"
and α'_V_is_α_V: "α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and enabled_s1'_α': "enabled SES s1' α'"
by auto
have βcδvα'_in_Tr: "β @ [c] @ δ @ [v] @ α' ∈ Tr⇘(induceES SES)⇙"
proof -
let ?l1 = "β @ [c] @ δ @ [v]"
let ?l2 = "α'"
from s0_β_s1 s1_cδv_s1' have "s0⇘SES⇙ (?l1)⟹⇘SES⇙ s1'"
by (rule path_trans)
moreover
from enabled_s1'_α' obtain s1337 where "s1' ?l2⟹⇘SES⇙ s1337"
by (simp add: enabled_def, auto)
ultimately have "s0⇘SES⇙ (?l1 @ ?l2)⟹⇘SES⇙ s1337"
by (rule path_trans)
thus ?thesis
by (simp add: induceES_def possible_traces_def enabled_def)
qed
from δ_in_N_inter_Delta_star βcδvα'_in_Tr α'_V_is_α_V α'_contains_no_c
show ?thesis
by auto
next
assume not_en: "¬ En ρ s1 c"
let ?A = "(Adm 𝒱 ρ Tr⇘(induceES SES)⇙ β c)"
let ?E = "∃s ∈ S⇘SES⇙. (s0⇘SES⇙ β⟹⇘SES⇙ s ∧ En ρ s c)"
{
assume adm: "?A"
from s0_β_s1 have β_in_Tr: "β ∈ Tr⇘(induceES SES)⇙"
by (simp add: induceES_def possible_traces_def enabled_def)
from β_in_Tr adm have "?E"
by (rule Adm_to_En)
}
hence Adm_to_En_contr: "¬ ?E ⟹ ¬ ?A"
by blast
with s1_in_S s0_β_s1 not_en have not_adm: "¬ ?A"
by auto
with adm show ?thesis
by auto
qed
}
thus ?thesis
by (simp add: FCIA_def)
qed
theorem unwinding_theorem_SD:
"⟦ 𝒱' = ⦇ V = (V⇘𝒱⇙ ∪ N⇘𝒱⇙), N = {}, C = C⇘𝒱⇙ ⦈;
Unwinding.lrf SES 𝒱' ur; Unwinding.osc SES 𝒱' ur ⟧
⟹ SD 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume view'_def : "𝒱' = ⦇V = (V⇘𝒱⇙ ∪ N⇘𝒱⇙), N = {}, C = C⇘𝒱⇙⦈"
assume lrf_view' : "Unwinding.lrf SES 𝒱' ur"
assume osc_view' : "Unwinding.osc SES 𝒱' ur"
interpret modified_view: Unwinding "SES" "𝒱'"
by (unfold_locales, rule validSES, simp add: view'_def modified_view_valid)
from lrf_view' osc_view' have BSD_view' : "BSD 𝒱' Tr⇘(induceES SES)⇙"
by (rule_tac ur="ur" in modified_view.unwinding_theorem_BSD)
with view'_def BSD_implies_SD_for_modified_view show ?thesis
by auto
qed
theorem unwinding_theorem_SI:
"⟦ 𝒱' = ⦇ V = (V⇘𝒱⇙ ∪ N⇘𝒱⇙), N = {}, C = C⇘𝒱⇙ ⦈;
Unwinding.lrb SES 𝒱' ur; Unwinding.osc SES 𝒱' ur ⟧
⟹ SI 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume view'_def : "𝒱' = ⦇V = V⇘𝒱⇙ ∪ N⇘𝒱⇙, N = {}, C = C⇘𝒱⇙⦈"
assume lrb_view' : "Unwinding.lrb SES 𝒱' ur"
assume osc_view' : "Unwinding.osc SES 𝒱' ur"
interpret modified_view: Unwinding "SES" "𝒱'"
by (unfold_locales, rule validSES, simp add: view'_def modified_view_valid)
from lrb_view' osc_view' have BSI_view' : "BSI 𝒱' Tr⇘(induceES SES)⇙"
by (rule_tac ur="ur" in modified_view.unwinding_theorem_BSI)
with view'_def BSI_implies_SI_for_modified_view show ?thesis
by auto
qed
theorem unwinding_theorem_SIA:
"⟦ 𝒱' = ⦇ V = (V⇘𝒱⇙ ∪ N⇘𝒱⇙), N = {}, C = C⇘𝒱⇙ ⦈; ρ 𝒱 = ρ 𝒱';
Unwinding.lrbe SES 𝒱' ρ ur; Unwinding.osc SES 𝒱' ur ⟧
⟹ SIA ρ 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume view'_def : "𝒱' = ⦇V = V⇘𝒱⇙ ∪ N⇘𝒱⇙, N = {}, C = C⇘𝒱⇙⦈"
assume ρ_eq : "ρ 𝒱 = ρ 𝒱'"
assume lrbe_view' : "Unwinding.lrbe SES 𝒱' ρ ur"
assume osc_view' : "Unwinding.osc SES 𝒱' ur"
interpret modified_view: Unwinding "SES" "𝒱'"
by (unfold_locales, rule validSES, simp add: view'_def modified_view_valid)
from lrbe_view' osc_view' have BSIA_view' : "BSIA ρ 𝒱' Tr⇘(induceES SES)⇙"
by (rule_tac ur="ur" in modified_view.unwinding_theorem_BSIA)
with view'_def BSIA_implies_SIA_for_modified_view ρ_eq show ?thesis
by auto
qed
theorem unwinding_theorem_SR:
"⟦ 𝒱' = ⦇ V = (V⇘𝒱⇙ ∪ N⇘𝒱⇙), N = {}, C = C⇘𝒱⇙ ⦈;
Unwinding.lrf SES 𝒱' ur; Unwinding.osc SES 𝒱' ur ⟧
⟹ SR 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume view'_def : "𝒱' = ⦇V = V⇘𝒱⇙ ∪ N⇘𝒱⇙, N = {}, C = C⇘𝒱⇙⦈"
assume lrf_view' : "Unwinding.lrf SES 𝒱' ur"
assume osc_view' : "Unwinding.osc SES 𝒱' ur"
from lrf_view' osc_view' view'_def have S_view : "SD 𝒱 Tr⇘(induceES SES)⇙"
by (rule_tac ur="ur" in unwinding_theorem_SD, auto)
with SD_implies_SR show ?thesis
by auto
qed
theorem unwinding_theorem_D:
"⟦ lrf ur; osc ur ⟧ ⟹ D 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume "lrf ur"
and "osc ur"
hence "BSD 𝒱 Tr⇘(induceES SES)⇙"
by (rule unwinding_theorem_BSD)
thus ?thesis
by (rule BSD_implies_D)
qed
theorem unwinding_theorem_I:
"⟦ lrb ur; osc ur ⟧ ⟹ I 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume "lrb ur"
and "osc ur"
hence "BSI 𝒱 Tr⇘(induceES SES)⇙"
by (rule unwinding_theorem_BSI)
thus ?thesis
by (rule BSI_implies_I)
qed
theorem unwinding_theorem_IA:
"⟦ lrbe ρ ur; osc ur ⟧ ⟹ IA ρ 𝒱 Tr⇘(induceES SES)⇙"
proof -
assume "lrbe ρ ur"
and "osc ur"
hence "BSIA ρ 𝒱 Tr⇘(induceES SES)⇙"
by (rule unwinding_theorem_BSIA)
thus ?thesis
by (rule BSIA_implies_IA)
qed
theorem unwinding_theorem_R:
"⟦ lrf ur; osc ur ⟧ ⟹ R 𝒱 (Tr⇘(induceES SES)⇙)"
proof -
assume "lrf ur"
and "osc ur"
hence "BSD 𝒱 Tr⇘(induceES SES)⇙"
by (rule unwinding_theorem_BSD)
hence "D 𝒱 Tr⇘(induceES SES)⇙"
by (rule BSD_implies_D)
thus ?thesis
by (rule D_implies_R)
qed
end
end
Theory CompositionBase
theory CompositionBase
imports "../Basics/BSPTaxonomy"
begin
definition
properSeparationOfViews ::
"'e ES_rec ⇒ 'e ES_rec ⇒ 'e V_rec ⇒ 'e V_rec ⇒ 'e V_rec ⇒ bool"
where
"properSeparationOfViews ES1 ES2 𝒱 𝒱1 𝒱2 ≡
V⇘𝒱⇙ ∩ E⇘ES1⇙ = V⇘𝒱1⇙
∧ V⇘𝒱⇙ ∩ E⇘ES2⇙ = V⇘𝒱2⇙
∧ C⇘𝒱⇙ ∩ E⇘ES1⇙ ⊆ C⇘𝒱1⇙
∧ C⇘𝒱⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙
∧ N⇘𝒱1⇙ ∩ N⇘𝒱2⇙ = {}"
definition
wellBehavedComposition ::
"'e ES_rec ⇒ 'e ES_rec ⇒ 'e V_rec ⇒ 'e V_rec ⇒ 'e V_rec ⇒ bool"
where
"wellBehavedComposition ES1 ES2 𝒱 𝒱1 𝒱2 ≡
( N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {} )
∨ (∃ρ1. ( N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {} ∧ total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙)
∧ BSIA ρ1 𝒱1 Tr⇘ES1⇙ ))
∨ (∃ρ2. ( N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {} ∧ total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙)
∧ BSIA ρ2 𝒱2 Tr⇘ES2⇙ ))
∨ (∃ρ1 ρ2 Γ1 Γ2. (
∇⇘Γ1⇙ ⊆ E⇘ES1⇙ ∧ Δ⇘Γ1⇙ ⊆ E⇘ES1⇙ ∧ Υ⇘Γ1⇙ ⊆ E⇘ES1⇙
∧ ∇⇘Γ2⇙ ⊆ E⇘ES2⇙ ∧ Δ⇘Γ2⇙ ⊆ E⇘ES2⇙ ∧ Υ⇘Γ2⇙ ⊆ E⇘ES2⇙
∧ BSIA ρ1 𝒱1 Tr⇘ES1⇙ ∧ BSIA ρ2 𝒱2 Tr⇘ES2⇙
∧ total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙) ∧ total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙)
∧ FCIA ρ1 Γ1 𝒱1 Tr⇘ES1⇙ ∧ FCIA ρ2 Γ2 𝒱2 Tr⇘ES2⇙
∧ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ⊆ ∇⇘Γ1⇙ ∪ ∇⇘Γ2⇙
∧ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙ ⊆ Υ⇘Γ1⇙ ∧ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙ ⊆ Υ⇘Γ2⇙
∧ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {} ))"
locale Compositionality =
fixes ES1 :: "'e ES_rec"
and ES2 :: "'e ES_rec"
and 𝒱 :: "'e V_rec"
and 𝒱1 :: "'e V_rec"
and 𝒱2 :: "'e V_rec"
assumes validES1: "ES_valid ES1"
and validES2: "ES_valid ES2"
and composableES1ES2: "composable ES1 ES2"
and validVC: "isViewOn 𝒱 (E⇘(ES1 ∥ ES2)⇙)"
and validV1: "isViewOn 𝒱1 E⇘ES1⇙"
and validV2: "isViewOn 𝒱2 E⇘ES2⇙"
and propSepViews: "properSeparationOfViews ES1 ES2 𝒱 𝒱1 𝒱2"
and well_behaved_composition: "wellBehavedComposition ES1 ES2 𝒱 𝒱1 𝒱2"
sublocale Compositionality ⊆ BSPTaxonomyDifferentCorrections "ES1 ∥ ES2" "𝒱"
by (unfold_locales, rule composeES_yields_ES, rule validES1,
rule validES2, rule validVC)
context Compositionality
begin
lemma Vv_is_Vv1_union_Vv2: "V⇘𝒱⇙ = V⇘𝒱1⇙ ∪ V⇘𝒱2⇙"
proof -
from propSepViews have "V⇘𝒱⇙ ∩ E⇘ES1⇙ ∪ V⇘𝒱⇙ ∩ E⇘ES2⇙ = V⇘𝒱1⇙ ∪ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
hence "V⇘𝒱⇙ ∩ (E⇘ES1⇙ ∪ E⇘ES2⇙) = V⇘𝒱1⇙ ∪ V⇘𝒱2⇙"
by auto
hence "V⇘𝒱⇙ ∩ E⇘(ES1 ∥ ES2)⇙ = V⇘𝒱1⇙ ∪ V⇘𝒱2⇙"
by (simp add: composeES_def)
with validVC show ?thesis
by (simp add: isViewOn_def, auto)
qed
lemma disjoint_Nv1_Vv2: "N⇘𝒱1⇙ ∩ V⇘𝒱2⇙ = {}"
proof -
from validV1 have "N⇘𝒱1⇙ ⊆ E⇘ES1⇙"
by (simp add: isViewOn_def, auto)
with propSepViews have "N⇘𝒱1⇙ ∩ V⇘𝒱2⇙ = (N⇘𝒱1⇙ ∩ E⇘ES1⇙ ∩ V⇘𝒱⇙) ∩ E⇘ES2⇙"
unfolding properSeparationOfViews_def by auto
hence "N⇘𝒱1⇙ ∩ V⇘𝒱2⇙ = (N⇘𝒱1⇙ ∩ V⇘𝒱⇙ ∩ E⇘ES1⇙) ∩ E⇘ES2⇙"
by auto
moreover
from validV1 have "N⇘𝒱1⇙ ∩ V⇘𝒱⇙ ∩ E⇘ES1⇙ = {}"
using propSepViews unfolding properSeparationOfViews_def
by (metis VN_disjoint_def V_valid_def inf_assoc inf_commute isViewOn_def)
ultimately show ?thesis
by auto
qed
lemma disjoint_Nv2_Vv1: "N⇘𝒱2⇙ ∩ V⇘𝒱1⇙ = {}"
proof -
from validV2 have "N⇘𝒱2⇙ ⊆ E⇘ES2⇙"
by (simp add:isViewOn_def, auto)
with propSepViews have "N⇘𝒱2⇙ ∩ V⇘𝒱1⇙ = (N⇘𝒱2⇙ ∩ E⇘ES2⇙ ∩ V⇘𝒱⇙) ∩ E⇘ES1⇙"
unfolding properSeparationOfViews_def by auto
hence "N⇘𝒱2⇙ ∩ V⇘𝒱1⇙ = (N⇘𝒱2⇙ ∩ V⇘𝒱⇙ ∩ E⇘ES2⇙) ∩ E⇘ES1⇙"
by auto
moreover
from validV2 have "N⇘𝒱2⇙ ∩ V⇘𝒱⇙ ∩ E⇘ES2⇙ = {}"
using propSepViews unfolding properSeparationOfViews_def
by (metis VN_disjoint_def V_valid_def inf_assoc inf_commute isViewOn_def)
ultimately show ?thesis
by auto
qed
lemma merge_property': " ⟦ set t1 ⊆ E⇘ES1⇙; set t2 ⊆ E⇘ES2⇙;
t1 ↿ E⇘ES2⇙ = t2 ↿ E⇘ES1⇙; t1 ↿ V⇘𝒱⇙ = []; t2 ↿ V⇘𝒱⇙ = [];
t1 ↿ C⇘𝒱⇙ = []; t2 ↿ C⇘𝒱⇙ = [] ⟧
⟹ ∃ t. (t ↿ E⇘ES1⇙ = t1 ∧ t ↿ E⇘ES2⇙ = t2 ∧ t ↿ V⇘𝒱⇙ = [] ∧ t ↿ C⇘𝒱⇙ = [] ∧ set t ⊆ (E⇘ES1⇙ ∪ E⇘ES2⇙))"
proof -
assume t1_in_E1star: "set t1 ⊆ E⇘ES1⇙"
and t2_in_E2star: "set t2 ⊆ E⇘ES2⇙"
and t1_t2_synchronized: "t1 ↿ E⇘ES2⇙ = t2 ↿ E⇘ES1⇙"
and t1Vv_empty: "t1 ↿ V⇘𝒱⇙ = []"
and t2Vv_empty: "t2 ↿ V⇘𝒱⇙ = []"
and t1Cv_empty: "t1 ↿ C⇘𝒱⇙ = []"
and t2Cv_empty: "t2 ↿ C⇘𝒱⇙ = []"
from merge_property[OF t1_in_E1star t2_in_E2star t1_t2_synchronized] obtain t
where t_is_interleaving: "t ↿ E⇘ES1⇙ = t1 ∧ t ↿ E⇘ES2⇙ = t2"
and t_contains_only_events_from_t1_t2: "set t ⊆ set t1 ∪ set t2"
unfolding Let_def
by auto
moreover
from t1Vv_empty t2Vv_empty t_contains_only_events_from_t1_t2
have "t ↿ V⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute Vv_is_Vv1_union_Vv2 projection_on_union projection_sequence t_is_interleaving)
moreover
have "t ↿ C⇘𝒱⇙ = []"
proof -
from t1Cv_empty have "∀c ∈ C⇘𝒱⇙. c ∉ set t1"
by (simp add: projection_def filter_empty_conv, fast)
moreover
from t2Cv_empty have "∀c ∈ C⇘𝒱⇙. c ∉ set t2"
by (simp add: projection_def filter_empty_conv, fast)
ultimately have
"∀c ∈ C⇘𝒱⇙. c ∉ (set t1 ∪ set t2)"
by auto
with t_contains_only_events_from_t1_t2 have "∀c ∈ C⇘𝒱⇙. c ∉ set t"
by auto
thus ?thesis
by (simp add: projection_def, metis filter_empty_conv)
qed
moreover
from t1_in_E1star t2_in_E2star t_contains_only_events_from_t1_t2
have "set t ⊆ (E⇘ES1⇙ ∪ E⇘ES2⇙)"
by auto
ultimately show ?thesis
by blast
qed
lemma Nv1_union_Nv2_subsetof_Nv: "N⇘𝒱1⇙ ∪ N⇘𝒱2⇙ ⊆ N⇘𝒱⇙"
proof -
{
fix e
assume e_in_N1: "e ∈ N⇘𝒱1⇙"
with validV1 have
e_in_E1: "e ∈ E⇘ES1⇙"
and e_notin_V1: "e ∉ V⇘𝒱1⇙"
and e_notin_C1: "e ∉ C⇘𝒱1⇙"
by (simp only: isViewOn_def V_valid_def VC_disjoint_def NC_disjoint_def
VN_disjoint_def, auto)+
from e_in_E1 e_notin_V1 propSepViews have "e ∉ V⇘𝒱⇙"
unfolding properSeparationOfViews_def by auto
moreover
from e_in_E1 e_notin_C1 propSepViews have "e ∉ C⇘𝒱⇙"
unfolding properSeparationOfViews_def by auto
moreover
note e_in_E1 validVC
ultimately have "e ∈ N⇘𝒱⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def NC_disjoint_def VN_disjoint_def
composeES_def, auto)
}
moreover {
fix e
assume e_in_N2: "e ∈ N⇘𝒱2⇙"
with validV2 have
e_in_E2: "e ∈ E_ES ES2"
and e_notin_V2: "e ∉ V⇘𝒱2⇙"
and e_notin_C2: "e ∉ C⇘𝒱2⇙"
by (simp only: isViewOn_def V_valid_def VC_disjoint_def NC_disjoint_def VN_disjoint_def
, auto)+
from e_in_E2 e_notin_V2 propSepViews have "e ∉ V⇘𝒱⇙"
unfolding properSeparationOfViews_def by auto
moreover
from e_in_E2 e_notin_C2 propSepViews have "e ∉ C⇘𝒱⇙"
unfolding properSeparationOfViews_def by auto
moreover
note e_in_E2 validVC
ultimately have "e ∈ N⇘𝒱⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def VN_disjoint_def NC_disjoint_def
composeES_def, auto)
}
ultimately show ?thesis
by auto
qed
end
end
Theory CompositionSupport
theory CompositionSupport
imports CompositionBase
begin
locale CompositionSupport =
fixes ESi :: "'e ES_rec"
and 𝒱 :: "'e V_rec"
and 𝒱i :: "'e V_rec"
assumes validESi: "ES_valid ESi"
and validVi: "isViewOn 𝒱i E⇘ESi⇙"
and Vv_inter_Ei_is_Vvi: "V⇘𝒱⇙ ∩ E⇘ESi⇙ = V⇘𝒱i⇙"
and Cv_inter_Ei_subsetof_Cvi: "C⇘𝒱⇙ ∩ E⇘ESi⇙ ⊆ C⇘𝒱i⇙"
context CompositionSupport
begin
lemma BSD_in_subsystem:
"⟦ c ∈ C⇘𝒱⇙; ((β @ [c] @ α) ↿ E⇘ESi⇙) ∈ Tr⇘ESi⇙ ; BSD 𝒱i Tr⇘ESi⇙ ⟧
⟹ ∃α_i'. ( ((β ↿ E⇘ESi⇙) @ α_i') ∈ Tr⇘ESi⇙
∧ (α_i' ↿ V⇘𝒱i⇙) = (α ↿ V⇘𝒱i⇙) ∧ α_i' ↿ C⇘𝒱i⇙ = [] )"
proof (induct "length (([c] @ α) ↿ C⇘𝒱i⇙)" arbitrary: β c α)
case 0
let ?L = "([c] @ α) ↿ E⇘ESi⇙"
from 0(3) have β_E1_cα_E1_in_Tr1: "((β ↿ E⇘ESi⇙) @ (([c] @ α) ↿ E⇘ESi⇙)) ∈ Tr⇘ESi⇙"
by (simp only: projection_concatenation_commute)
moreover
have "(?L ↿ V⇘𝒱i⇙) = (α ↿ V⇘𝒱i⇙)"
proof -
have "(?L ↿ V⇘𝒱i⇙) = ([c] @ α) ↿ V⇘𝒱i⇙"
proof -
from validVi have "E⇘ESi⇙ ∩ V⇘𝒱i⇙ = V⇘𝒱i⇙"
by (simp add: isViewOn_def V_valid_def VN_disjoint_def VC_disjoint_def NC_disjoint_def
, auto)
moreover
have "(?L ↿ V⇘𝒱i⇙) = ([c] @ α) ↿ (E⇘ESi⇙ ∩ V⇘𝒱i⇙)"
by (simp add: projection_def)
ultimately show ?thesis
by auto
qed
moreover
have "([c] @ α) ↿ V⇘𝒱i⇙ = α ↿ V⇘𝒱i⇙"
proof -
have "([c] @ α) ↿ V⇘𝒱i⇙ = ([c] ↿ V⇘𝒱i⇙) @ (α ↿ V⇘𝒱i⇙)"
by (rule projection_concatenation_commute)
moreover
have "([c] ↿ V⇘𝒱i⇙) = []"
proof -
from 0(2) have "[c] ↿ C⇘𝒱⇙ = [c]"
by (simp add: projection_def)
moreover
have "[c] ↿ C⇘𝒱⇙ ↿ V⇘𝒱i⇙ = []"
proof -
from validVi Cv_inter_Ei_subsetof_Cvi have "C⇘𝒱⇙ ∩ V⇘𝒱i⇙ ⊆ C⇘𝒱i⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def, auto)
moreover
from 0(1) have "[c] ↿ C⇘𝒱i⇙ = []"
by (simp only: projection_concatenation_commute, auto)
ultimately have "[c] ↿ (C⇘𝒱⇙ ∩ V⇘𝒱i⇙) = []"
by (rule projection_on_subset)
thus ?thesis
by (simp only: projection_def, auto)
qed
ultimately show ?thesis
by auto
qed
ultimately show ?thesis
by auto
qed
ultimately show ?thesis
by auto
qed
moreover
have "?L ↿ C⇘𝒱i⇙ = []"
proof -
from 0(1) have "([c] @ α) ↿ C⇘𝒱i⇙ = []"
by auto
hence "([c] @ α) ↿ (C⇘𝒱i⇙ ∩ E⇘ESi⇙) = []"
by (rule projection_on_intersection)
hence "([c] @ α) ↿ (E⇘ESi⇙ ∩ C⇘𝒱i⇙) = []"
by (simp only: Int_commute)
thus ?thesis
by (simp only: projection_def, auto)
qed
ultimately show ?case
by auto
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain γ c_i δ
where c_i_in_C𝒱i: "c_i ∈ C⇘𝒱i⇙"
and cα_is_γc_iδ: "[c] @ α = γ @ [c_i] @ δ"
and δ_no_C𝒱i: "δ ↿ C⇘𝒱i⇙ = []"
and n_is_len_γδ_C𝒱i: "n = length ((γ @ δ) ↿ C⇘𝒱i⇙)"
by auto
let ?L1 = "((β @ γ) ↿ E⇘ESi⇙)"
let ?L2 = "(δ ↿ E⇘ESi⇙)"
note c_i_in_C𝒱i
moreover
have list_with_c_i_in_Tr1: "(?L1 @ [c_i] @ ?L2) ∈ Tr⇘ESi⇙"
proof -
from c_i_in_C𝒱i validVi have "[c_i] ↿ E⇘ESi⇙ = [c_i]"
by (simp only: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_def, auto)
moreover
from Suc(4) cα_is_γc_iδ have "((β @ γ @ [c_i] @ δ) ↿ E⇘ESi⇙) ∈ Tr⇘ESi⇙"
by auto
hence "(?L1 @ ([c_i] ↿ E⇘ESi⇙) @ ?L2) ∈ Tr⇘ESi⇙"
by (simp only: projection_def, auto)
ultimately show ?thesis
by auto
qed
moreover
have "?L2 ↿ C⇘𝒱i⇙ = []"
proof -
from validVi have "⋀x. (x ∈ E⇘ESi⇙ ∧ x ∈ C⇘𝒱i⇙) = (x ∈ C⇘𝒱i⇙)"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
with δ_no_C𝒱i show ?thesis
by (simp add: projection_def)
qed
moreover note Suc(5)
ultimately obtain δ'
where δ'_1: "(?L1 @ δ') ∈ Tr⇘ESi⇙"
and δ'_2: "δ' ↿ V⇘𝒱i⇙ = ?L2 ↿ V⇘𝒱i⇙"
and δ'_3: "δ' ↿ C⇘𝒱i⇙ = []"
unfolding BSD_def
by blast
hence δ'_2': "δ' ↿ V⇘𝒱i⇙ = δ ↿ V⇘𝒱i⇙"
proof -
have "?L2 ↿ V⇘𝒱i⇙ = δ ↿ V⇘𝒱i⇙"
proof -
from validVi have "⋀x. (x ∈ E⇘ESi⇙ ∧ x ∈ V⇘𝒱i⇙) = (x ∈ V⇘𝒱i⇙)"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (simp add: projection_def)
qed
with δ'_2 show ?thesis
by auto
qed
show ?case
proof (cases γ)
case Nil
with cα_is_γc_iδ have "[c] @ α = [c_i] @ δ"
by auto
hence δ_is_α: "δ = α"
by auto
from δ'_1 have δ'_1': "((β ↿ E⇘ESi⇙) @ δ') ∈ Tr⇘ESi⇙"
by (simp only: Nil, auto)
moreover
note δ'_2'
moreover note δ'_3
ultimately show ?thesis
by (simp only: δ_is_α, auto)
next
case (Cons x γ')
with cα_is_γc_iδ have γ_is_cγ': "γ = [c] @ γ'"
by simp
with n_is_len_γδ_C𝒱i have "n = length (([c] @ γ' @ δ) ↿ C⇘𝒱i⇙)"
by auto
with δ_no_C𝒱i δ'_3 have "n = length (([c] @ γ' @ δ') ↿ C⇘𝒱i⇙)"
by (simp only: projection_concatenation_commute)
moreover
note Suc(3)
moreover
have "((β @ [c] @ (γ' @ δ')) ↿ E⇘ESi⇙) ∈ Tr⇘ESi⇙"
proof -
from δ'_1 validESi have "δ' = δ' ↿ E⇘ESi⇙"
proof -
let ?L = "(β @ γ) ↿ E⇘ESi⇙ @ δ'"
from δ'_1 validESi have "∀e ∈ set ?L. e ∈ E⇘ESi⇙"
by (simp add: ES_valid_def traces_contain_events_def)
hence "set δ' ⊆ E⇘ESi⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
with δ'_1 have "?L1 @ δ' = (β @ γ @ δ') ↿ E⇘ESi⇙"
by (simp only: projection_concatenation_commute, auto)
with γ_is_cγ' δ'_1 show ?thesis
by auto
qed
moreover
note Suc(5)
moreover note Suc(1)[of c "γ' @ δ'" β]
ultimately obtain α_i'
where α_i'_1: "β ↿ E⇘ESi⇙ @ α_i' ∈ Tr⇘ESi⇙"
and α_i'_2: "α_i' ↿ V⇘𝒱i⇙ = (γ' @ δ') ↿ V⇘𝒱i⇙"
and α_i'_3: "α_i' ↿ C⇘𝒱i⇙ = []"
by auto
moreover
have "α_i' ↿ V⇘𝒱i⇙ = α ↿ V⇘𝒱i⇙"
proof -
have "α ↿ V⇘𝒱i⇙ = (γ' @ δ) ↿ V⇘𝒱i⇙"
proof -
from cα_is_γc_iδ γ_is_cγ' have "α ↿ V⇘𝒱i⇙ = (γ' @ [c_i] @ δ) ↿ V⇘𝒱i⇙"
by simp
with validVi c_i_in_C𝒱i show ?thesis
by (simp only: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_concatenation_commute
projection_def, auto)
qed
moreover
from α_i'_2 δ'_2' have "α_i' ↿ V⇘𝒱i⇙ = (γ' @ δ) ↿ V⇘𝒱i⇙"
by (simp only: projection_concatenation_commute)
ultimately show ?thesis
by auto
qed
ultimately show ?thesis
by auto
qed
qed
lemma BSD_in_subsystem2:
"⟦ ((β @ α) ↿ E⇘ESi⇙) ∈ Tr⇘ESi⇙ ; BSD 𝒱i Tr⇘ESi⇙ ⟧
⟹ ∃ α_i'. ( ((β ↿ E⇘ESi⇙) @ α_i') ∈ Tr⇘ESi⇙ ∧ (α_i' ↿ V⇘𝒱i⇙) = (α ↿ V⇘𝒱i⇙) ∧ α_i' ↿ C⇘𝒱i⇙ = [] )"
proof (induct "length (α ↿ C⇘𝒱i⇙)" arbitrary: β α)
case 0
let ?L = "α ↿ E⇘ESi⇙"
from 0(2) have β_E1_α_E1_in_Tr1: "((β ↿ E⇘ESi⇙) @ ?L) ∈ Tr⇘ESi⇙"
by (simp only: projection_concatenation_commute)
moreover
have "(?L ↿ V⇘𝒱i⇙) = (α ↿ V⇘𝒱i⇙)"
proof -
from validVi have "E⇘ESi⇙ ∩ V⇘𝒱i⇙ = V⇘𝒱i⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
moreover
have "(?L ↿ V⇘𝒱i⇙) = α ↿ (E⇘ESi⇙ ∩ V⇘𝒱i⇙)"
by (simp add: projection_def)
ultimately show ?thesis
by auto
qed
moreover
have "?L ↿ C⇘𝒱i⇙ = []"
proof -
from 0(1) have "α ↿ C⇘𝒱i⇙ = []"
by auto
hence "α ↿ (C⇘𝒱i⇙ ∩ E⇘ESi⇙) = []"
by (rule projection_on_intersection)
hence "α ↿ (E⇘ESi⇙ ∩ C⇘𝒱i⇙) = []"
by (simp only: Int_commute)
thus ?thesis
by (simp only: projection_def, auto)
qed
ultimately show ?case
by auto
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain γ c_i δ
where c_i_in_C𝒱i: "c_i ∈ C⇘𝒱i⇙"
and α_is_γc_iδ: "α = γ @ [c_i] @ δ"
and δ_no_C𝒱i: "δ ↿ C⇘𝒱i⇙ = []"
and n_is_len_γδ_C𝒱i: "n = length ((γ @ δ) ↿ C⇘𝒱i⇙)"
by auto
let ?L1 = "((β @ γ) ↿ E⇘ESi⇙)"
let ?L2 = "(δ ↿ E⇘ESi⇙)"
note c_i_in_C𝒱i
moreover
have list_with_c_i_in_Tr1: "(?L1 @ [c_i] @ ?L2) ∈ Tr⇘ESi⇙"
proof -
from c_i_in_C𝒱i validVi have "[c_i] ↿ E⇘ESi⇙ = [c_i]"
by (simp only: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_def, auto)
moreover
from Suc(3) α_is_γc_iδ have "((β @ γ @ [c_i] @ δ) ↿ E⇘ESi⇙) ∈ Tr⇘ESi⇙"
by auto
hence "(?L1 @ ([c_i] ↿ E⇘ESi⇙) @ ?L2) ∈ Tr⇘ESi⇙"
by (simp only: projection_def, auto)
ultimately show ?thesis
by auto
qed
moreover
have "?L2 ↿ C⇘𝒱i⇙ = []"
proof -
from validVi have "⋀x. (x ∈ E⇘ESi⇙ ∧ x ∈ C⇘𝒱i⇙) = (x ∈ C⇘𝒱i⇙)"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
with δ_no_C𝒱i show ?thesis
by (simp add: projection_def)
qed
moreover note Suc(4)
ultimately obtain δ'
where δ'_1: "(?L1 @ δ') ∈ Tr⇘ESi⇙"
and δ'_2: "δ' ↿ V⇘𝒱i⇙ = ?L2 ↿ V⇘𝒱i⇙"
and δ'_3: "δ' ↿ C⇘𝒱i⇙ = []"
unfolding BSD_def
by blast
hence δ'_2': "δ' ↿ V⇘𝒱i⇙ = δ ↿ V⇘𝒱i⇙"
proof -
have "?L2 ↿ V⇘𝒱i⇙ = δ ↿ V⇘𝒱i⇙"
proof -
from validVi have "⋀x. (x ∈ E⇘ESi⇙ ∧ x ∈ V⇘𝒱i⇙) = (x ∈ V⇘𝒱i⇙)"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (simp add: projection_def)
qed
with δ'_2 show ?thesis
by auto
qed
from n_is_len_γδ_C𝒱i δ_no_C𝒱i δ'_3 have "n = length ((γ @ δ') ↿ C⇘𝒱i⇙)"
by (simp add: projection_concatenation_commute)
moreover
have "(β @ (γ @ δ')) ↿ E⇘ESi⇙ ∈ Tr⇘ESi⇙"
proof -
have "δ' = δ' ↿ E⇘ESi⇙"
proof -
let ?L = "(β @ γ) ↿ E⇘ESi⇙ @ δ'"
from δ'_1 validESi have "∀e ∈ set ?L. e ∈ E⇘ESi⇙"
by (simp add: ES_valid_def traces_contain_events_def)
hence "set δ' ⊆ E⇘ESi⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
with δ'_1 have "?L1 @ δ' = (β @ γ @ δ') ↿ E⇘ESi⇙"
by (simp only: projection_concatenation_commute, auto)
with δ'_1 show ?thesis
by auto
qed
moreover
note Suc(4) Suc(1)[of "γ @ δ'" β]
ultimately obtain α_i'
where res1: "β ↿ E⇘ESi⇙ @ α_i' ∈ Tr⇘ESi⇙"
and res2: "α_i' ↿ V⇘𝒱i⇙ = (γ @ δ') ↿ V⇘𝒱i⇙"
and res3: "α_i' ↿ C⇘𝒱i⇙ = []"
by auto
have "α_i' ↿ V⇘𝒱i⇙ = α ↿ V⇘𝒱i⇙"
proof -
from c_i_in_C𝒱i validVi have "[c_i] ↿ V⇘𝒱i⇙ = []"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_def, auto)
with α_is_γc_iδ δ'_2' have "α ↿ V⇘𝒱i⇙ = (γ @ δ') ↿ V⇘𝒱i⇙"
by (simp only: projection_concatenation_commute, auto)
with res2 show ?thesis
by auto
qed
with res1 res3 show ?case
by auto
qed
end
end
Theory GeneralizedZippingLemma
theory GeneralizedZippingLemma
imports CompositionBase
begin
context Compositionality
begin
lemma generalized_zipping_lemma1: "⟦ N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {}; N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {} ⟧ ⟹
∀ τ lambda t1 t2. ( ( set τ ⊆ E⇘(ES1 ∥ ES2)⇙ ∧ set lambda ⊆ V⇘𝒱⇙ ∧ set t1 ⊆ E⇘ES1⇙ ∧ set t2 ⊆ E⇘ES2⇙
∧ ((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙ ∧ ((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙ ∧ (lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙)
∧ (lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙) ∧ (t1 ↿ C⇘𝒱1⇙) = [] ∧ (t2 ↿ C⇘𝒱2⇙) = [])
⟶ (∃ t. ((τ @ t) ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = [])) )"
proof -
assume Nv1_inter_E2_empty: "N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {}"
and Nv2_inter_E1_empty: "N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {}"
{
fix τ lambda t1 t2
assume τ_in_Estar: "set τ ⊆ E⇘(ES1 ∥ ES2)⇙"
and lambda_in_Vvstar: "set lambda ⊆ V⇘𝒱⇙"
and t1_in_E1star: "set t1 ⊆ E⇘ES1⇙"
and t2_in_E2star: "set t2 ⊆ E⇘ES2⇙"
and τ_E1_t1_in_Tr1: "((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙"
and τ_E2_t2_in_Tr2: "((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙"
and lambda_E1_is_t1_Vv: "(lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙)"
and lambda_E2_is_t2_Vv: "(lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙)"
and t1_no_Cv1: "(t1 ↿ C⇘𝒱1⇙) = []"
and t2_no_Cv2: "(t2 ↿ C⇘𝒱2⇙) = []"
have "⟦ set τ ⊆ E⇘(ES1 ∥ ES2)⇙;
set lambda ⊆ V⇘𝒱⇙;
set t1 ⊆ E⇘ES1⇙;
set t2 ⊆ E⇘ES2⇙;
((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙;
((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙;
(lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙);
(lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙);
(t1 ↿ C⇘𝒱1⇙) = [];
(t2 ↿ C⇘𝒱2⇙) = [] ⟧
⟹ (∃ t. ((τ @ t) ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = []))"
proof (induct lambda arbitrary: τ t1 t2)
case (Nil τ t1 t2)
have "(τ @ []) ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
have "τ ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from Nil(5) validES1 have "τ ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
from Nil(6) validES2 have "τ ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
note Nil(1)
ultimately show ?thesis
by (simp add: composeES_def)
qed
thus ?thesis
by auto
qed
moreover
have "([] ↿ V⇘𝒱⇙) = []"
by (simp add: projection_def)
moreover
have "([] ↿ C⇘𝒱⇙) = []"
by (simp add: projection_def)
ultimately show ?case
by blast
next
case (Cons 𝒱' lambda' τ t1 t2)
thus ?case
proof -
from Cons(3) have v'_in_Vv: "𝒱' ∈ V⇘𝒱⇙"
by auto
have "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙
∨ 𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙
∨ 𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
using Vv_is_Vv1_union_Vv2 v'_in_Vv propSepViews
unfolding properSeparationOfViews_def
by fastforce
moreover {
assume v'_in_Vv1_inter_Vv2: "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙" and v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
by auto
with v'_in_Vv propSepViews
have v'_in_E1: "𝒱' ∈ E⇘ES1⇙" and v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
unfolding properSeparationOfViews_def by auto
from Cons(2,4,8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r1 s1
where t1_is_r1_v'_s1: "t1 = r1 @ [𝒱'] @ s1"
and r1_Vv_empty: "r1 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱1⇙" "V⇘𝒱⇙" "r1"]
have r1_Vv1_empty: "r1 ↿ V⇘𝒱1⇙ = []"
by auto
from Cons(3,5,9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r2 s2
where t2_is_r2_v'_s2: "t2 = r2 @ [𝒱'] @ s2"
and r2_Vv_empty: "r2 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱2⇙" "V⇘𝒱⇙" "r2"]
have r2_Vv2_empty: "r2 ↿ V⇘𝒱2⇙ = []"
by auto
from t1_is_r1_v'_s1 Cons(10) have r1_Cv1_empty: "r1 ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1_is_r1_v'_s1 Cons(10) have s1_Cv1_empty: "s1 ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(4) t1_is_r1_v'_s1 have r1_in_E1star: "set r1 ⊆ E⇘ES1⇙"
and s1_in_E1star: "set s1 ⊆ E⇘ES1⇙"
by auto
from Cons(6) t1_is_r1_v'_s1
have τE1_r1_v'_s1_in_Tr1: "τ ↿ E⇘ES1⇙ @ r1 @ [𝒱'] @ s1 ∈ Tr⇘ES1⇙"
by simp
have r1_in_Nv1star: "set r1 ⊆ N⇘𝒱1⇙"
proof -
note r1_in_E1star
moreover
from r1_Vv1_empty have "set r1 ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq Int_commute
Int_empty_right disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
from r1_Cv1_empty have "set r1 ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq Int_commute
Int_empty_right disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv1_inter_E2_empty have r1E2_empty: "r1 ↿ E⇘ES2⇙ = []"
by (metis Int_commute empty_subsetI projection_on_subset2 r1_Vv_empty)
from t2_is_r2_v'_s2 Cons(11) have r2_Cv2_empty: "r2 ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2_is_r2_v'_s2 Cons(11) have s2_Cv2_empty: "s2 ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(5) t2_is_r2_v'_s2 have r2_in_E2star: "set r2 ⊆ E⇘ES2⇙"
and s2_in_E2star: "set s2 ⊆ E⇘ES2⇙"
by auto
from Cons(7) t2_is_r2_v'_s2
have τE2_r2_v'_s2_in_Tr2: "τ ↿ E⇘ES2⇙ @ r2 @ [𝒱'] @ s2 ∈ Tr⇘ES2⇙"
by simp
have r2_in_Nv2star: "set r2 ⊆ N⇘𝒱2⇙"
proof -
note r2_in_E2star
moreover
from r2_Vv2_empty have "set r2 ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r2_Cv2_empty have "set r2 ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv2_inter_E1_empty have r2E1_empty: "r2 ↿ E⇘ES1⇙ = []"
by (metis Int_commute empty_subsetI projection_on_subset2 r2_Vv_empty)
let ?tau = "τ @ r1 @ r2 @ [𝒱']"
from Cons(2) r1_in_E1star r2_in_E2star v'_in_E2
have "set ?tau ⊆ (E⇘(ES1 ∥ ES2)⇙)"
by (simp add: composeES_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
note s1_in_E1star s2_in_E2star
moreover
from Cons(6) r1_in_E1star r2E1_empty v'_in_E1 t1_is_r1_v'_s1
have "((?tau ↿ E⇘ES1⇙) @ s1) ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute
list_subset_iff_projection_neutral projection_def, auto)
moreover
from Cons(7) r2_in_E2star r1E2_empty v'_in_E2 t2_is_r2_v'_s2
have "((?tau ↿ E⇘ES2⇙) @ s2) ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute
list_subset_iff_projection_neutral projection_def, auto)
moreover
have "lambda' ↿ E⇘ES1⇙ = s1 ↿ V⇘𝒱⇙"
proof -
from Cons(2,4,8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
moreover
from t1_is_r1_v'_s1 r1_Vv_empty v'_in_Vv1 Vv_is_Vv1_union_Vv2
have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (s1 ↿ V⇘𝒱⇙)"
by (simp only: t1_is_r1_v'_s1 projection_concatenation_commute
projection_def, auto)
ultimately show ?thesis
by auto
qed
moreover
have "lambda' ↿ E⇘ES2⇙ = s2 ↿ V⇘𝒱⇙"
proof -
from Cons(3,5,9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
moreover
from t2_is_r2_v'_s2 r2_Vv_empty v'_in_Vv2 Vv_is_Vv1_union_Vv2
have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (s2 ↿ V⇘𝒱⇙)"
by (simp only: t2_is_r2_v'_s2 projection_concatenation_commute
projection_def, auto)
ultimately show ?thesis
by auto
qed
moreover
note s1_Cv1_empty s2_Cv2_empty Cons.hyps(1)[of ?tau s1 s2]
ultimately obtain t'
where tau_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r1 @ r2 @ [𝒱'] @ t'"
note tau_t'_in_Tr
moreover
from r1_Vv_empty r2_Vv_empty t'Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
from propSepViews have "C⇘𝒱⇙ ∩ E⇘ES1⇙ ⊆ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def by auto
hence "r1 ↿ C⇘𝒱⇙ = []"
by (metis projection_on_subset2 r1_Cv1_empty r1_in_E1star)
moreover
from propSepViews have "C⇘𝒱⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
hence "r2 ↿ C⇘𝒱⇙ = []"
by (metis projection_on_subset2 r2_Cv2_empty r2_in_E2star)
moreover
note v'_in_Vv VIsViewOnE t'Cv_empty
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
moreover {
assume v'_in_Vv1_minus_E2: "𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙"
by auto
with v'_in_Vv propSepViews have v'_in_E1: "𝒱' ∈ E⇘ES1⇙"
unfolding properSeparationOfViews_def
by auto
from v'_in_Vv1_minus_E2 have v'_notin_E2: "𝒱' ∉ E⇘ES2⇙"
by (auto)
with validV2 have v'_notin_Vv2: "𝒱' ∉ V⇘𝒱2⇙"
by (simp add: isViewOn_def V_valid_def, auto)
from Cons(3) Cons(4) Cons(8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r1 s1
where t1_is_r1_v'_s1: "t1 = r1 @ [𝒱'] @ s1"
and r1_Vv_empty: "r1 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱1⇙" "V⇘𝒱⇙" "r1"]
have r1_Vv1_empty: "r1 ↿ V⇘𝒱1⇙ = []"
by auto
from t1_is_r1_v'_s1 Cons(10) have r1_Cv1_empty: "r1 ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1_is_r1_v'_s1 Cons(10) have s1_Cv1_empty: "s1 ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(4) t1_is_r1_v'_s1 have r1_in_E1star: "set r1 ⊆ E⇘ES1⇙"
by auto
have r1_in_Nv1star: "set r1 ⊆ N⇘𝒱1⇙"
proof -
note r1_in_E1star
moreover
from r1_Vv1_empty have "set r1 ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq Int_commute
Int_empty_right disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
from r1_Cv1_empty have "set r1 ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq Int_commute
Int_empty_right disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv1_inter_E2_empty have r1E2_empty: "r1 ↿ E⇘ES2⇙ = []"
by (metis Int_commute empty_subsetI
projection_on_subset2 r1_Vv1_empty)
let ?tau = "τ @ r1 @ [𝒱']"
from v'_in_E1 Cons(2) r1_in_Nv1star validV1
have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: isViewOn_def composeES_def V_valid_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from Cons(4) t1_is_r1_v'_s1 have "set s1 ⊆ E⇘ES1⇙"
by auto
moreover
note Cons(5)
moreover
have "?tau ↿ E⇘ES1⇙ @ s1 ∈ Tr⇘ES1⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(3) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(3) Cons.prems(5)
projection_concatenation_commute t1_is_r1_v'_s1)
moreover
have "?tau ↿ E⇘ES2⇙ @ t2 ∈ Tr⇘ES2⇙"
proof -
from v'_notin_E2 have "[𝒱'] ↿ E⇘ES2⇙ = []"
by (simp add: projection_def)
with Cons(7) Cons(4) t1_is_r1_v'_s1 v'_notin_E2
r1_in_Nv1star Nv1_inter_E2_empty r1E2_empty
show ?thesis
by (simp only: t1_is_r1_v'_s1 list_subset_iff_projection_neutral
projection_concatenation_commute, auto)
qed
moreover
from Cons(8) t1_is_r1_v'_s1 r1_Vv_empty v'_in_E1 v'_in_Vv have "lambda' ↿ E⇘ES1⇙ = s1 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(9) v'_notin_E2 have "lambda' ↿ E⇘ES2⇙ = t2 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
note s1_Cv1_empty Cons(11)
moreover
note Cons.hyps(1)[of ?tau s1 t2]
ultimately obtain t'
where tau_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r1 @ [𝒱'] @ t'"
note tau_t'_in_Tr
moreover
from r1_Vv_empty t'_Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
from propSepViews have "C⇘𝒱⇙ ∩ E⇘ES1⇙ ⊆ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def by auto
hence"r1 ↿ C⇘𝒱⇙ = []"
by (metis projection_on_subset2 r1_Cv1_empty r1_in_E1star)
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
moreover {
assume v'_in_Vv2_minus_E1: "𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
hence v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
by auto
with v'_in_Vv propSepViews
have v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
unfolding properSeparationOfViews_def by auto
from v'_in_Vv2_minus_E1
have v'_notin_E1: "𝒱' ∉ E⇘ES1⇙"
by (auto)
with validV1
have v'_notin_Vv1: "𝒱' ∉ V⇘𝒱1⇙"
by (simp add:isViewOn_def V_valid_def, auto)
from Cons(4) Cons(5) Cons(9) v'_in_E2
have "t2 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r2 s2
where t2_is_r2_v'_s2: "t2 = r2 @ [𝒱'] @ s2"
and r2_Vv_empty: "r2 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱2⇙" "V⇘𝒱⇙" "r2"]
have r2_Vv2_empty: "r2 ↿ V⇘𝒱2⇙ = []"
by auto
from t2_is_r2_v'_s2 Cons(11) have r2_Cv2_empty: "r2 ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2_is_r2_v'_s2 Cons(11) have s2_Cv2_empty: "s2 ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(5) t2_is_r2_v'_s2 have r2_in_E2star: "set r2 ⊆ E⇘ES2⇙"
by auto
have r2_in_Nv2star: "set r2 ⊆ N⇘𝒱2⇙"
proof -
note r2_in_E2star
moreover
from r2_Vv2_empty have "set r2 ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
from r2_Cv2_empty have "set r2 ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv2_inter_E1_empty have r2E1_empty: "r2 ↿ E⇘ES1⇙ = []"
by (metis Int_commute empty_subsetI
projection_on_subset2 r2_Vv2_empty)
let ?tau = "τ @ r2 @ [𝒱']"
from v'_in_E2 Cons(2) r2_in_Nv2star validV2
have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: composeES_def isViewOn_def V_valid_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
note Cons(4)
moreover
from Cons(5) t2_is_r2_v'_s2 have "set s2 ⊆ E⇘ES2⇙"
by auto
moreover
have "?tau ↿ E⇘ES1⇙ @ t1 ∈ Tr⇘ES1⇙"
proof -
from v'_notin_E1 have "[𝒱'] ↿ E⇘ES1⇙ = []"
by (simp add: projection_def)
with Cons(6) Cons(3) t2_is_r2_v'_s2 v'_notin_E1 r2_in_Nv2star
Nv2_inter_E1_empty r2E1_empty
show ?thesis
by (simp only: t2_is_r2_v'_s2 list_subset_iff_projection_neutral
projection_concatenation_commute, auto)
qed
moreover
have "?tau ↿ E⇘ES2⇙ @ s2 ∈ Tr⇘ES2⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(4) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(4) Cons.prems(6)
projection_concatenation_commute t2_is_r2_v'_s2)
moreover
from Cons(8) v'_notin_E1 have "lambda' ↿ E⇘ES1⇙ = t1 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(9) t2_is_r2_v'_s2 r2_Vv_empty v'_in_E2 v'_in_Vv
have "lambda' ↿ E⇘ES2⇙ = s2 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
note Cons(10) s2_Cv2_empty
moreover
note Cons.hyps(1)[of ?tau t1 s2]
ultimately obtain t'
where tau_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r2 @ [𝒱'] @ t'"
note tau_t'_in_Tr
moreover
from r2_Vv_empty t'_Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
from propSepViews have "C⇘𝒱⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
hence "r2 ↿ C⇘𝒱⇙ = []"
by (metis projection_on_subset2 r2_Cv2_empty r2_in_E2star)
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
ultimately show ?thesis
by blast
qed
qed
}
thus ?thesis
by auto
qed
lemma generalized_zipping_lemma2: "⟦ N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {}; total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙); BSIA ρ1 𝒱1 Tr⇘ES1⇙ ⟧ ⟹
∀ τ lambda t1 t2. ( ( set τ ⊆ (E⇘(ES1 ∥ ES2)⇙) ∧ set lambda ⊆ V⇘𝒱⇙ ∧ set t1 ⊆ E⇘ES1⇙ ∧ set t2 ⊆ E⇘ES2⇙
∧ ((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙ ∧ ((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙
∧ (lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙) ∧ (lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙)
∧ (t1 ↿ C⇘𝒱1⇙) = [] ∧ (t2 ↿ C⇘𝒱2⇙) = [])
⟶ (∃ t. ((τ @ t) ∈ (Tr⇘(ES1 ∥ ES2)⇙) ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = [])) )"
proof -
assume Nv1_inter_E2_empty: "N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {}"
assume total_ES1_Cv1_inter_Nv2: "total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙)"
assume BSIA: "BSIA ρ1 𝒱1 Tr⇘ES1⇙"
{
fix τ lambda t1 t2
assume τ_in_Estar: "set τ ⊆ E⇘(ES1 ∥ ES2)⇙"
and lambda_in_Vvstar: "set lambda ⊆ V⇘𝒱⇙"
and t1_in_E1star: "set t1 ⊆ E⇘ES1⇙"
and t2_in_E2star: "set t2 ⊆ E⇘ES2⇙"
and τ_E1_t1_in_Tr1: "((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙"
and τ_E2_t2_in_Tr2: "((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙"
and lambda_E1_is_t1_Vv: "(lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙)"
and lambda_E2_is_t2_Vv: "(lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙)"
and t1_no_Cv1: "(t1 ↿ C⇘𝒱1⇙) = []"
and t2_no_Cv2: "(t2 ↿ C⇘𝒱2⇙) = []"
have "⟦ set τ ⊆ E⇘(ES1 ∥ ES2)⇙; set lambda ⊆ V⇘𝒱⇙;
set t1 ⊆ E⇘ES1⇙; set t2 ⊆ E⇘ES2⇙;
((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙; ((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙;
(lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙); (lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙);
(t1 ↿ C⇘𝒱1⇙) = []; (t2 ↿ C⇘𝒱2⇙) = [] ⟧
⟹ (∃t. ((τ @ t) ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = []))"
proof (induct lambda arbitrary: τ t1 t2)
case (Nil τ t1 t2)
have "(τ @ []) ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
have "τ ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from Nil(5) validES1 have "τ ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
from Nil(6) validES2 have "τ ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
note Nil(1)
ultimately show ?thesis
by (simp add: composeES_def)
qed
thus ?thesis
by auto
qed
moreover
have "([] ↿ V⇘𝒱⇙) = []"
by (simp add: projection_def)
moreover
have "([] ↿ C⇘𝒱⇙) = []"
by (simp add: projection_def)
ultimately show ?case
by blast
next
case (Cons 𝒱' lambda' τ t1 t2)
thus ?case
proof -
from Cons(3) have v'_in_Vv: "𝒱' ∈ V⇘𝒱⇙"
by auto
have "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ∨ 𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙ ∨ 𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
using propSepViews unfolding properSeparationOfViews_def
using Vv_is_Vv1_union_Vv2 v'_in_Vv by fastforce
moreover {
assume v'_in_Vv1_inter_Vv2: "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙" and v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
by auto
with v'_in_Vv propSepViews
have v'_in_E1: "𝒱' ∈ E⇘ES1⇙" and v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
unfolding properSeparationOfViews_def by auto
from Cons(3,5,9) v'_in_E2
have "t2 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r2 s2
where t2_is_r2_v'_s2: "t2 = r2 @ [𝒱'] @ s2"
and r2_Vv_empty: "r2 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱2⇙" "V⇘𝒱⇙" "r2"]
have r2_Vv2_empty: "r2 ↿ V⇘𝒱2⇙ = []"
by auto
from t2_is_r2_v'_s2 Cons(11) have r2_Cv2_empty: "r2 ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2_is_r2_v'_s2 Cons(11) have s2_Cv2_empty: "s2 ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(5) t2_is_r2_v'_s2 have r2_in_E2star: "set r2 ⊆ E⇘ES2⇙"
and s2_in_E2star: "set s2 ⊆ E⇘ES2⇙"
by auto
from Cons(7) t2_is_r2_v'_s2
have τE2_r2_v'_s2_in_Tr2: "τ ↿ E⇘ES2⇙ @ r2 @ [𝒱'] @ s2 ∈ Tr⇘ES2⇙"
by simp
have r2_in_Nv2star: "set r2 ⊆ N⇘𝒱2⇙"
proof -
note r2_in_E2star
moreover
from r2_Vv2_empty have "set r2 ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r2_Cv2_empty have "set r2 ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r2E1_in_Nv2_inter_C1_star: "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) = set r2 ∩ E⇘ES1⇙"
by (simp add: projection_def, auto)
with r2_in_Nv2star have "set (r2 ↿ E⇘ES1⇙) ⊆ (E⇘ES1⇙ ∩ N⇘𝒱2⇙)"
by auto
moreover
from validV1 propSepViews
have "E⇘ES1⇙ ∩ N⇘𝒱2⇙ = N⇘𝒱2⇙ ∩ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def isViewOn_def V_valid_def
using disjoint_Nv2_Vv1 by blast
ultimately show ?thesis
by auto
qed
note outerCons_prems = Cons.prems
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙) ⟹
∃ t1'. ( set t1' ⊆ E⇘ES1⇙
∧ ((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙
∧ t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙
∧ t1' ↿ C⇘𝒱1⇙ = [] )"
proof (induct "r2 ↿ E⇘ES1⇙" arbitrary: r2 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(9)
outerCons_prems(3) outerCons_prems(5) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE1: "xs = xs ↿ E⇘ES1⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES1⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ E⇘ES1⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by auto
with xs_is_xsE1 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t1''
where t1''_in_E1star: "set t1'' ⊆ E⇘ES1⇙"
and τ_xs_E1_t1''_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ t1'' ∈ Tr⇘ES1⇙"
and t1''Vv1_is_t1Vv1: "t1'' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1''Cv1_empty: "t1'' ↿ C⇘𝒱1⇙ = []"
by auto
have x_in_Cv1_inter_Nv2: "x ∈ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv1: "x ∈ C⇘𝒱1⇙"
by auto
moreover
note τ_xs_E1_t1''_in_Tr1 t1''Cv1_empty
moreover
have Adm: "(Adm 𝒱1 ρ1 Tr⇘ES1⇙ ((τ @ xs) ↿ E⇘ES1⇙) x)"
proof -
from τ_xs_E1_t1''_in_Tr1 validES1
have τ_xsE1_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv1_inter_Nv2 total_ES1_Cv1_inter_Nv2
have τ_xsE1_x_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] ∈ Tr⇘ES1⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1) = ((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA
ultimately obtain t1'
where res1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1' ∈ Tr⇘ES1⇙"
and res2: "t1' ↿ V⇘𝒱1⇙ = t1'' ↿ V⇘𝒱1⇙"
and res3: "t1' ↿ C⇘𝒱1⇙ = []"
by (simp only: BSIA_def, blast)
have "set t1' ⊆ E⇘ES1⇙"
proof -
from res1 validES1
have "set (((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1') ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
proof -
from res1 xs_is_xsE1 have "((τ ↿ E⇘ES1⇙) @ (xs @ [x])) @ t1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t1''Vv1_is_t1Vv1 res2 have "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r2E1_in_Nv2_inter_C1_star] obtain t1'
where t1'_in_E1star: "set t1' ⊆ E⇘ES1⇙"
and τr2E1_t1'_in_Tr1: "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
and t1'_Vv1_is_t1_Vv1: "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1'_Cv1_empty: "t1' ↿ C⇘𝒱1⇙ = []"
by auto
have "t1' ↿ V⇘𝒱1⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
proof -
from projection_intersection_neutral[OF Cons(4), of "V⇘𝒱⇙"]
propSepViews
have "t1 ↿ V⇘𝒱⇙ = t1 ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (simp only: Int_commute)
with Cons(8) t1'_Vv1_is_t1_Vv1 v'_in_E1 show ?thesis
by (simp add: projection_def)
qed
from projection_split_first[OF this] obtain r1' s1'
where t1'_is_r1'_v'_s1': "t1' = r1' @ [𝒱'] @ s1'"
and r1'_Vv1_empty: "r1' ↿ V⇘𝒱1⇙ = []"
by auto
from t1'_is_r1'_v'_s1' t1'_Cv1_empty
have r1'_Cv1_empty: "r1' ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1'_is_r1'_v'_s1' t1'_Cv1_empty
have s1'_Cv1_empty: "s1' ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from t1'_in_E1star t1'_is_r1'_v'_s1'
have r1'_in_E1star: "set r1' ⊆ E⇘ES1⇙"
by auto
with propSepViews r1'_Vv1_empty
have r1'_Vv_empty: "r1' ↿ V⇘𝒱⇙ = []"
unfolding properSeparationOfViews_def
by (metis projection_on_subset2 subset_iff_psubset_eq)
have r1'_in_Nv1star: "set r1' ⊆ N⇘𝒱1⇙"
proof -
note r1'_in_E1star
moreover
from r1'_Vv1_empty have "set r1' ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r1'_Cv1_empty have "set r1' ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv1_inter_E2_empty have r1'E2_empty: "r1' ↿ E⇘ES2⇙ = []"
by (metis Int_commute empty_subsetI
projection_on_subset2 r1'_Vv1_empty)
let ?tau = "τ @ r2 @ r1' @ [𝒱']"
from Cons(2) r2_in_E2star r1'_in_E1star v'_in_E2
have "set ?tau ⊆ (E⇘(ES1 ∥ ES2)⇙)"
by (simp add: composeES_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from t1'_in_E1star t1'_is_r1'_v'_s1'
have "set s1' ⊆ E⇘ES1⇙"
by simp
moreover
note s2_in_E2star
moreover
from τr2E1_t1'_in_Tr1 t1'_is_r1'_v'_s1' v'_in_E1
have "?tau ↿ E⇘ES1⇙ @ s1' ∈ Tr⇘ES1⇙"
proof -
from v'_in_E1 r1'_in_E1star
have "(τ @ r2 @ r1' @ [𝒱']) ↿ E⇘ES1⇙ = (τ @ r2) ↿ E⇘ES1⇙ @ r1' @ [𝒱']"
by (simp only: projection_concatenation_commute
list_subset_iff_projection_neutral projection_def, auto)
with τr2E1_t1'_in_Tr1 t1'_is_r1'_v'_s1' v'_in_E1 show ?thesis
by simp
qed
moreover
from r2_in_E2star v'_in_E2 r1'E2_empty τE2_r2_v'_s2_in_Tr2
have "?tau ↿ E⇘ES2⇙ @ s2 ∈ Tr⇘ES2⇙"
by (simp only: list_subset_iff_projection_neutral
projection_concatenation_commute projection_def, auto)
moreover
have "lambda' ↿ E⇘ES1⇙ = s1' ↿ V⇘𝒱⇙"
proof -
from Cons(2,4,8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
moreover
from t1'_is_r1'_v'_s1' r1'_Vv1_empty r1'_in_E1star v'_in_Vv1 propSepViews
have "t1' ↿ V⇘𝒱⇙ = [𝒱'] @ (s1' ↿ V⇘𝒱⇙)"
proof -
have "r1' ↿ V⇘𝒱⇙ =[]"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2
r1'_Vv1_empty r1'_in_E1star subset_iff_psubset_eq)
with t1'_is_r1'_v'_s1' v'_in_Vv1 Vv_is_Vv1_union_Vv2 show ?thesis
by (simp only: t1'_is_r1'_v'_s1' projection_concatenation_commute
projection_def, auto)
qed
moreover
have "t1 ↿ V⇘𝒱⇙ = t1' ↿ V⇘𝒱⇙"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute outerCons_prems(3)
projection_intersection_neutral
t1'_Vv1_is_t1_Vv1 t1'_in_E1star)
ultimately show ?thesis
by auto
qed
moreover
have "lambda' ↿ E⇘ES2⇙ = s2 ↿ V⇘𝒱⇙"
proof -
from Cons(3,5,9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
moreover
from t2_is_r2_v'_s2 r2_Vv_empty v'_in_Vv2 Vv_is_Vv1_union_Vv2
have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (s2 ↿ V⇘𝒱⇙)"
by (simp only: t2_is_r2_v'_s2 projection_concatenation_commute projection_def, auto)
ultimately show ?thesis
by auto
qed
moreover
note s1'_Cv1_empty s2_Cv2_empty Cons.hyps[of ?tau s1' s2]
ultimately obtain t'
where tau_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r2 @ r1' @ [𝒱'] @ t'"
note tau_t'_in_Tr
moreover
from r2_Vv_empty r1'_Vv_empty t'Vv_is_lambda' v'_in_Vv have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by(simp only: projection_concatenation_commute projection_def, auto)
moreover
from VIsViewOnE r2_Cv2_empty t'Cv_empty r1'_Cv1_empty v'_in_Vv
have "?t ↿ C⇘𝒱⇙ = []"
proof -
from VIsViewOnE v'_in_Vv have "[𝒱'] ↿ C⇘𝒱⇙ = []"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def projection_def, auto)
moreover
from r2_in_E2star r2_Cv2_empty propSepViews
have "r2 ↿ C⇘𝒱⇙ = []"
unfolding properSeparationOfViews_def
using projection_on_subset2 by auto
moreover
from r1'_in_E1star r1'_Cv1_empty propSepViews
have "r1' ↿ C⇘𝒱⇙ = []"
unfolding properSeparationOfViews_def
using projection_on_subset2 by auto
moreover
note t'Cv_empty
ultimately show ?thesis
by (simp only: projection_concatenation_commute, auto)
qed
ultimately have ?thesis
by auto
}
moreover {
assume v'_in_Vv1_minus_E2: "𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙"
by auto
with v'_in_Vv propSepViews have v'_in_E1: "𝒱' ∈ E⇘ES1⇙"
unfolding properSeparationOfViews_def by auto
from v'_in_Vv1_minus_E2 have v'_notin_E2: "𝒱' ∉ E⇘ES2⇙"
by (auto)
with validV2 have v'_notin_Vv2: "𝒱' ∉ V⇘𝒱2⇙"
by (simp add: isViewOn_def V_valid_def, auto)
from Cons(3) Cons(4) Cons(8) v'_in_E1
have "t1 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r1 s1
where t1_is_r1_v'_s1: "t1 = r1 @ [𝒱'] @ s1"
and r1_Vv_empty: "r1 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱1⇙" "V⇘𝒱⇙" "r1"]
have r1_Vv1_empty: "r1 ↿ V⇘𝒱1⇙ = []"
by auto
from t1_is_r1_v'_s1 Cons(10)
have r1_Cv1_empty: "r1 ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1_is_r1_v'_s1 Cons(10)
have s1_Cv1_empty: "s1 ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(4) t1_is_r1_v'_s1
have r1_in_E1star: "set r1 ⊆ E⇘ES1⇙"
by auto
have r1_in_Nv1star: "set r1 ⊆ N⇘𝒱1⇙"
proof -
note r1_in_E1star
moreover
from r1_Vv1_empty have "set r1 ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq
Int_commute Int_empty_right disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
from r1_Cv1_empty have "set r1 ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq
Int_commute Int_empty_right disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv1_inter_E2_empty have r1E2_empty: "r1 ↿ E⇘ES2⇙ = []"
by (metis Int_commute empty_subsetI projection_on_subset2 r1_Vv1_empty)
let ?tau = "τ @ r1 @ [𝒱']"
from v'_in_E1 Cons(2) r1_in_Nv1star validV1
have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: composeES_def isViewOn_def V_valid_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from Cons(4) t1_is_r1_v'_s1 have "set s1 ⊆ E⇘ES1⇙"
by auto
moreover
note Cons(5)
moreover
have "?tau ↿ E⇘ES1⇙ @ s1 ∈ Tr⇘ES1⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(3) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(3) Cons.prems(5)
projection_concatenation_commute t1_is_r1_v'_s1)
moreover
have "?tau ↿ E⇘ES2⇙ @ t2 ∈ Tr⇘ES2⇙"
proof -
from v'_notin_E2 have "[𝒱'] ↿ E⇘ES2⇙ = []"
by (simp add: projection_def)
with Cons(7) Cons(4) t1_is_r1_v'_s1 v'_notin_E2 r1_in_Nv1star
Nv1_inter_E2_empty r1E2_empty
show ?thesis
by (simp only: t1_is_r1_v'_s1 list_subset_iff_projection_neutral
projection_concatenation_commute, auto)
qed
moreover
from Cons(8) t1_is_r1_v'_s1 r1_Vv_empty v'_in_E1 v'_in_Vv
have "lambda' ↿ E⇘ES1⇙ = s1 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(9) v'_notin_E2 have "lambda' ↿ E⇘ES2⇙ = t2 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
note s1_Cv1_empty Cons(11)
moreover
note Cons.hyps(1)[of ?tau s1 t2]
ultimately obtain t'
where τr1v't'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r1 @ [𝒱'] @ t'"
note τr1v't'_in_Tr
moreover
from r1_Vv_empty t'_Vv_is_lambda' v'_in_Vv have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
have "r1 ↿ C⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2 r1_Cv1_empty r1_in_E1star)
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
moreover {
assume v'_in_Vv2_minus_E1: "𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
hence v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
by auto
with v'_in_Vv propSepViews
have v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
unfolding properSeparationOfViews_def by auto
from v'_in_Vv2_minus_E1
have v'_notin_E1: "𝒱' ∉ E⇘ES1⇙"
by (auto)
with validV1
have v'_notin_Vv1: "𝒱' ∉ V⇘𝒱1⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
from Cons(3) Cons(5) Cons(9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r2 s2
where t2_is_r2_v'_s2: "t2 = r2 @ [𝒱'] @ s2"
and r2_Vv_empty: "r2 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱2⇙" "V⇘𝒱⇙" "r2"]
have r2_Vv2_empty: "r2 ↿ V⇘𝒱2⇙ = []"
by auto
from t2_is_r2_v'_s2 Cons(11) have r2_Cv2_empty: "r2 ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2_is_r2_v'_s2 Cons(11) have s2_Cv2_empty: "s2 ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(5) t2_is_r2_v'_s2 have r2_in_E2star: "set r2 ⊆ E⇘ES2⇙"
by auto
have r2_in_Nv2star: "set r2 ⊆ N⇘𝒱2⇙"
proof -
note r2_in_E2star
moreover
from r2_Vv2_empty have "set r2 ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral projection_on_union)
moreover
from r2_Cv2_empty have "set r2 ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r2E1_in_Nv2_inter_C1_star: "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) = set r2 ∩ E⇘ES1⇙"
by (simp add: projection_def, auto)
with r2_in_Nv2star have "set (r2 ↿ E⇘ES1⇙) ⊆ (E⇘ES1⇙ ∩ N⇘𝒱2⇙)"
by auto
moreover
from validV1 propSepViews disjoint_Nv2_Vv1 have "E⇘ES1⇙ ∩ N⇘𝒱2⇙ = N⇘𝒱2⇙ ∩ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
note outerCons_prems = Cons.prems
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙) ⟹
∃ t1'. ( set t1' ⊆ E⇘ES1⇙
∧ ((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙
∧ t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙
∧ t1' ↿ C⇘𝒱1⇙ = [] )"
proof (induct "r2 ↿ E⇘ES1⇙" arbitrary: r2 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(9) outerCons_prems(3)
outerCons_prems(5) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE1: "xs = xs ↿ E⇘ES1⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES1⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ E⇘ES1⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by auto
with xs_is_xsE1 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t1''
where t1''_in_E1star: "set t1'' ⊆ E⇘ES1⇙"
and τ_xs_E1_t1''_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ t1'' ∈ Tr⇘ES1⇙"
and t1''Vv1_is_t1Vv1: "t1'' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1''Cv1_empty: "t1'' ↿ C⇘𝒱1⇙ = []"
by auto
have x_in_Cv1_inter_Nv2: "x ∈ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv1: "x ∈ C⇘𝒱1⇙"
by auto
moreover
note τ_xs_E1_t1''_in_Tr1 t1''Cv1_empty
moreover
have Adm: "(Adm 𝒱1 ρ1 Tr⇘ES1⇙ ((τ @ xs) ↿ E⇘ES1⇙) x)"
proof -
from τ_xs_E1_t1''_in_Tr1 validES1
have τ_xsE1_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv1_inter_Nv2 total_ES1_Cv1_inter_Nv2
have τ_xsE1_x_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] ∈ Tr⇘ES1⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1) = ((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA
ultimately obtain t1'
where res1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1' ∈ Tr⇘ES1⇙"
and res2: "t1' ↿ V⇘𝒱1⇙ = t1'' ↿ V⇘𝒱1⇙"
and res3: "t1' ↿ C⇘𝒱1⇙ = []"
by (simp only: BSIA_def, blast)
have "set t1' ⊆ E⇘ES1⇙"
proof -
from res1 validES1 have "set (((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1') ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
proof -
from res1 xs_is_xsE1 have "((τ ↿ E⇘ES1⇙) @ (xs @ [x])) @ t1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t1''Vv1_is_t1Vv1 res2 have "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r2E1_in_Nv2_inter_C1_star] obtain t1'
where t1'_in_E1star: "set t1' ⊆ E⇘ES1⇙"
and τr2E1_t1'_in_Tr1: "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
and t1'_Vv1_is_t1_Vv1: "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1'_Cv1_empty: "t1' ↿ C⇘𝒱1⇙ = []"
by auto
let ?tau = "τ @ r2 @ [𝒱']"
from v'_in_E2 Cons(2) r2_in_Nv2star validV2 have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: composeES_def isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from Cons(5) t2_is_r2_v'_s2 have "set s2 ⊆ E⇘ES2⇙"
by auto
moreover
note t1'_in_E1star
moreover
have "?tau ↿ E⇘ES2⇙ @ s2 ∈ Tr⇘ES2⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(3) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(4) Cons.prems(6)
projection_concatenation_commute t2_is_r2_v'_s2)
moreover
from τr2E1_t1'_in_Tr1 v'_notin_E1 have "?tau ↿ E⇘ES1⇙ @ t1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
from Cons(9) t2_is_r2_v'_s2 r2_Vv_empty v'_in_E2 v'_in_Vv
have "lambda' ↿ E⇘ES2⇙ = s2 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(10) v'_notin_E1 t1'_Vv1_is_t1_Vv1 have "lambda' ↿ E⇘ES1⇙ = t1' ↿ V⇘𝒱⇙"
proof -
have "t1' ↿ V⇘𝒱⇙ = t1' ↿ V⇘𝒱1⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def projection_intersection_neutral
t1'_in_E1star)
moreover
have "t1 ↿ V⇘𝒱⇙ = t1 ↿ V⇘𝒱1⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def
projection_intersection_neutral Cons(4))
moreover
note Cons(8) v'_notin_E1 t1'_Vv1_is_t1_Vv1
ultimately show ?thesis
by (simp add: projection_def)
qed
moreover
note s2_Cv2_empty t1'_Cv1_empty
moreover
note Cons.hyps(1)[of ?tau t1' s2]
ultimately obtain t'
where τr2v't'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r2 @ [𝒱'] @ t'"
note τr2v't'_in_Tr
moreover
from r2_Vv_empty t'_Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
have "r2 ↿ C⇘𝒱⇙ = []"
proof -
from propSepViews have "C⇘𝒱⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
from projection_on_subset[OF ‹C⇘𝒱⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙› r2_Cv2_empty]
have "r2 ↿ (E⇘ES2⇙ ∩ C⇘𝒱⇙) = []"
by (simp only: Int_commute)
with projection_intersection_neutral[OF r2_in_E2star, of "C⇘𝒱⇙"] show ?thesis
by simp
qed
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
ultimately show ?thesis
by blast
qed
qed
}
thus ?thesis
by auto
qed
lemma generalized_zipping_lemma3: "⟦ N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {}; total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙); BSIA ρ2 𝒱2 Tr⇘ES2⇙ ⟧ ⟹
∀ τ lambda t1 t2. ( ( set τ ⊆ E⇘(ES1 ∥ ES2)⇙ ∧ set lambda ⊆ V⇘𝒱⇙ ∧ set t1 ⊆ E⇘ES1⇙ ∧ set t2 ⊆ E⇘ES2⇙
∧ ((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙ ∧ ((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙
∧ (lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙) ∧ (lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙)
∧ (t1 ↿ C⇘𝒱1⇙) = [] ∧ (t2 ↿ C⇘𝒱2⇙) = [])
⟶ (∃ t. ((τ @ t) ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = [])) )"
proof -
assume Nv2_inter_E1_empty: "N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {}"
assume total_ES2_Cv2_inter_Nv1: "total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙)"
assume BSIA: "BSIA ρ2 𝒱2 Tr⇘ES2⇙"
{
fix τ lambda t1 t2
assume τ_in_Estar: "set τ ⊆ E⇘(ES1 ∥ ES2)⇙"
and lambda_in_Vvstar: "set lambda ⊆ V⇘𝒱⇙"
and t1_in_E1star: "set t1 ⊆ E⇘ES1⇙"
and t2_in_E2star: "set t2 ⊆ E⇘ES2⇙"
and τ_E1_t1_in_Tr1: "((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙"
and τ_E2_t2_in_Tr2: "((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙"
and lambda_E1_is_t1_Vv: "(lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙)"
and lambda_E2_is_t2_Vv: "(lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙)"
and t1_no_Cv1: "(t1 ↿ C⇘𝒱1⇙) = []"
and t2_no_Cv2: "(t2 ↿ C⇘𝒱2⇙) = []"
have "⟦ set τ ⊆ E⇘(ES1 ∥ ES2)⇙;
set lambda ⊆ V⇘𝒱⇙;
set t1 ⊆ E⇘ES1⇙;
set t2 ⊆ E⇘ES2⇙;
((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙;
((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙;
(lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙);
(lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙);
(t1 ↿ C⇘𝒱1⇙) = [];
(t2 ↿ C⇘𝒱2⇙) = [] ⟧
⟹ (∃ t. ((τ @ t) ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = []))"
proof (induct lambda arbitrary: τ t1 t2)
case (Nil τ t1 t2)
have "(τ @ []) ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
have "τ ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from Nil(5) validES1 have "τ ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
from Nil(6) validES2 have "τ ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
note Nil(1)
ultimately show ?thesis
by (simp add: composeES_def)
qed
thus ?thesis
by auto
qed
moreover
have "([] ↿ V⇘𝒱⇙) = []"
by (simp add: projection_def)
moreover
have "([] ↿ C⇘𝒱⇙) = []"
by (simp add: projection_def)
ultimately show ?case
by blast
next
case (Cons 𝒱' lambda' τ t1 t2)
thus ?case
proof -
from Cons(3) have v'_in_Vv: "𝒱' ∈ V⇘𝒱⇙"
by auto
have "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙
∨ 𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙
∨ 𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
using propSepViews unfolding properSeparationOfViews_def
by (metis Diff_iff Int_commute Int_iff Un_iff
Vv_is_Vv1_union_Vv2 v'_in_Vv)
moreover {
assume v'_in_Vv1_inter_Vv2: "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙"
hence v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙" and v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙"
by auto
with v'_in_Vv
have v'_in_E2: "𝒱' ∈ E⇘ES2⇙" and v'_in_E1: "𝒱' ∈ E⇘ES1⇙"
using propSepViews unfolding properSeparationOfViews_def by auto
from Cons(2,4,8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r1 s1
where t1_is_r1_v'_s1: "t1 = r1 @ [𝒱'] @ s1"
and r1_Vv_empty: "r1 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱1⇙" "V⇘𝒱⇙" "r1"]
have r1_Vv1_empty: "r1 ↿ V⇘𝒱1⇙ = []"
by auto
from t1_is_r1_v'_s1 Cons(10) have r1_Cv1_empty: "r1 ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1_is_r1_v'_s1 Cons(10) have s1_Cv1_empty: "s1 ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(4) t1_is_r1_v'_s1
have r1_in_E1star: "set r1 ⊆ E⇘ES1⇙" and s1_in_E1star: "set s1 ⊆ E⇘ES1⇙"
by auto
from Cons(6) t1_is_r1_v'_s1
have τE1_r1_v'_s1_in_Tr1: "τ ↿ E⇘ES1⇙ @ r1 @ [𝒱'] @ s1 ∈ Tr⇘ES1⇙"
by simp
have r1_in_Nv1star: "set r1 ⊆ N⇘𝒱1⇙"
proof -
note r1_in_E1star
moreover
from r1_Vv1_empty have "set r1 ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r1_Cv1_empty have "set r1 ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
qed
have r1E2_in_Nv1_inter_C2_star: "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) = set r1 ∩ E⇘ES2⇙"
by (simp add: projection_def, auto)
with r1_in_Nv1star have "set (r1 ↿ E⇘ES2⇙) ⊆ (E⇘ES2⇙ ∩ N⇘𝒱1⇙)"
by auto
moreover
from validV2 disjoint_Nv1_Vv2
have "E⇘ES2⇙ ∩ N⇘𝒱1⇙ = N⇘𝒱1⇙ ∩ C⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add:isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
note outerCons_prems = Cons.prems
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙) ⟹
∃ t2'. ( set t2' ⊆ E⇘ES2⇙
∧ ((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙
∧ t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙
∧ t2' ↿ C⇘𝒱2⇙ = [] )"
proof (induct "r1 ↿ E⇘ES2⇙" arbitrary: r1 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(10) outerCons_prems(4)
outerCons_prems(6) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE2: "xs = xs ↿ E⇘ES2⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES2⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ E⇘ES2⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by auto
with xs_is_xsE2 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t2''
where t2''_in_E2star: "set t2'' ⊆ E⇘ES2⇙"
and τ_xs_E2_t2''_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ t2'' ∈ Tr⇘ES2⇙"
and t2''Vv2_is_t2Vv2: "t2'' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2''Cv2_empty: "t2'' ↿ C⇘𝒱2⇙ = []"
by auto
have x_in_Cv2_inter_Nv1: "x ∈ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv2: "x ∈ C⇘𝒱2⇙"
by auto
moreover
note τ_xs_E2_t2''_in_Tr2 t2''Cv2_empty
moreover
have Adm: "(Adm 𝒱2 ρ2 Tr⇘ES2⇙ ((τ @ xs) ↿ E⇘ES2⇙) x)"
proof -
from τ_xs_E2_t2''_in_Tr2 validES2
have τ_xsE2_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv2_inter_Nv1 total_ES2_Cv2_inter_Nv1
have τ_xsE2_x_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] ∈ Tr⇘ES2⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2) = ((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA
ultimately obtain t2'
where res1: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2' ∈ Tr⇘ES2⇙"
and res2: "t2' ↿ V⇘𝒱2⇙ = t2'' ↿ V⇘𝒱2⇙"
and res3: "t2' ↿ C⇘𝒱2⇙ = []"
by (simp only: BSIA_def, blast)
have "set t2' ⊆ E⇘ES2⇙"
proof -
from res1 validES2
have "set (((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2') ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
proof -
from res1 xs_is_xsE2 have "((τ ↿ E⇘ES2⇙) @ (xs @ [x])) @ t2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t2''Vv2_is_t2Vv2 res2 have "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r1E2_in_Nv1_inter_C2_star] obtain t2'
where t2'_in_E2star: "set t2' ⊆ E⇘ES2⇙"
and τr1E2_t2'_in_Tr2: "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
and t2'_Vv2_is_t2_Vv2: "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2'_Cv2_empty: "t2' ↿ C⇘𝒱2⇙ = []"
by auto
have "t2' ↿ V⇘𝒱2⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
proof -
from projection_intersection_neutral[OF Cons(5), of "V⇘𝒱⇙"]
have "t2 ↿ V⇘𝒱⇙ = t2 ↿ V⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp only: Int_commute)
with Cons(9) t2'_Vv2_is_t2_Vv2 v'_in_E2 show ?thesis
by (simp add: projection_def)
qed
from projection_split_first[OF this] obtain r2' s2'
where t2'_is_r2'_v'_s2': "t2' = r2' @ [𝒱'] @ s2'"
and r2'_Vv2_empty: "r2' ↿ V⇘𝒱2⇙ = []"
by auto
from t2'_is_r2'_v'_s2' t2'_Cv2_empty
have r2'_Cv2_empty: "r2' ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2'_is_r2'_v'_s2' t2'_Cv2_empty
have s2'_Cv2_empty: "s2' ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from t2'_in_E2star t2'_is_r2'_v'_s2'
have r2'_in_E2star: "set r2' ⊆ E⇘ES2⇙"
by auto
with r2'_Vv2_empty
have r2'_Vv_empty: "r2' ↿ V⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2 subset_iff_psubset_eq)
have r2'_in_Nv2star: "set r2' ⊆ N⇘𝒱2⇙"
proof -
note r2'_in_E2star
moreover
from r2'_Vv2_empty have "set r2' ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r2'_Cv2_empty have "set r2' ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv2_inter_E1_empty have r2'E1_empty: "r2' ↿ E⇘ES1⇙ = []"
by (metis Int_commute empty_subsetI projection_on_subset2 r2'_Vv2_empty)
let ?tau = "τ @ r1 @ r2' @ [𝒱']"
from Cons(2) r1_in_E1star r2'_in_E2star v'_in_E1
have "set ?tau ⊆ (E⇘(ES1 ∥ ES2)⇙)"
by (simp add: composeES_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
note s1_in_E1star
moreover
from t2'_in_E2star t2'_is_r2'_v'_s2' have "set s2' ⊆ E⇘ES2⇙"
by simp
moreover
from r1_in_E1star v'_in_E1 r2'E1_empty τE1_r1_v'_s1_in_Tr1
have "?tau ↿ E⇘ES1⇙ @ s1 ∈ Tr⇘ES1⇙"
by (simp only: list_subset_iff_projection_neutral
projection_concatenation_commute projection_def, auto)
moreover
from τr1E2_t2'_in_Tr2 t2'_is_r2'_v'_s2' v'_in_E2
have "?tau ↿ E⇘ES2⇙ @ s2' ∈ Tr⇘ES2⇙"
proof -
from v'_in_E2 r2'_in_E2star
have "(τ @ r1 @ r2' @ [𝒱']) ↿ E⇘ES2⇙ = (τ @ r1) ↿ E⇘ES2⇙ @ r2' @ [𝒱']"
by (simp only: projection_concatenation_commute
list_subset_iff_projection_neutral projection_def, auto)
with τr1E2_t2'_in_Tr2 t2'_is_r2'_v'_s2' v'_in_E2 show ?thesis
by simp
qed
moreover
have "lambda' ↿ E⇘ES1⇙ = s1 ↿ V⇘𝒱⇙"
proof -
from Cons(3,4,8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
moreover
from t1_is_r1_v'_s1 r1_Vv_empty v'_in_Vv1 Vv_is_Vv1_union_Vv2
have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (s1 ↿ V⇘𝒱⇙)"
by (simp only: t1_is_r1_v'_s1 projection_concatenation_commute projection_def, auto)
ultimately show ?thesis
by auto
qed
moreover
have "lambda' ↿ E⇘ES2⇙ = s2' ↿ V⇘𝒱⇙"
proof -
from Cons(4,5,9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
moreover
from t2'_is_r2'_v'_s2' r2'_Vv2_empty r2'_in_E2star v'_in_Vv2 propSepViews
have "t2' ↿ V⇘𝒱⇙ = [𝒱'] @ (s2' ↿ V⇘𝒱⇙)"
proof -
have "r2' ↿ V⇘𝒱⇙ =[]"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2
r2'_Vv2_empty r2'_in_E2star subset_iff_psubset_eq)
with t2'_is_r2'_v'_s2' v'_in_Vv2 Vv_is_Vv1_union_Vv2 show ?thesis
by (simp only: t2'_is_r2'_v'_s2' projection_concatenation_commute
projection_def, auto)
qed
moreover
have "t2 ↿ V⇘𝒱⇙ = t2' ↿ V⇘𝒱⇙"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute outerCons_prems(4)
projection_intersection_neutral
t2'_Vv2_is_t2_Vv2 t2'_in_E2star)
ultimately show ?thesis
by auto
qed
moreover
note s1_Cv1_empty s2'_Cv2_empty Cons.hyps[of ?tau s1 s2']
ultimately obtain t'
where tau_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r1 @ r2' @ [𝒱'] @ t'"
note tau_t'_in_Tr
moreover
from r1_Vv_empty r2'_Vv_empty t'Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by(simp only: projection_concatenation_commute projection_def, auto)
moreover
from VIsViewOnE r1_Cv1_empty t'Cv_empty r2'_Cv2_empty v'_in_Vv
have "?t ↿ C⇘𝒱⇙ = []"
proof -
from VIsViewOnE v'_in_Vv have "[𝒱'] ↿ C⇘𝒱⇙ = []"
by (simp add:isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_def, auto)
moreover
from r1_in_E1star r1_Cv1_empty
have "r1 ↿ C⇘𝒱⇙ = []"
using propSepViews projection_on_subset2 unfolding properSeparationOfViews_def
by auto
moreover
from r2'_in_E2star r2'_Cv2_empty
have "r2' ↿ C⇘𝒱⇙ = []"
using propSepViews projection_on_subset2 unfolding properSeparationOfViews_def
by auto
moreover
note t'Cv_empty
ultimately show ?thesis
by (simp only: projection_concatenation_commute, auto)
qed
ultimately have ?thesis
by auto
}
moreover {
assume v'_in_Vv1_minus_E2: "𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙"
by auto
with v'_in_Vv have v'_in_E1: "𝒱' ∈ E⇘ES1⇙"
using propSepViews unfolding properSeparationOfViews_def
by auto
from v'_in_Vv1_minus_E2 have v'_notin_E2: "𝒱' ∉ E⇘ES2⇙"
by (auto)
with validV2 have v'_notin_Vv2: "𝒱' ∉ V⇘𝒱2⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
from Cons(3) Cons(4) Cons(8) v'_in_E1
have "t1 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r1 s1
where t1_is_r1_v'_s1: "t1 = r1 @ [𝒱'] @ s1"
and r1_Vv_empty: "r1 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱1⇙" "V⇘𝒱⇙" "r1"]
have r1_Vv1_empty: "r1 ↿ V⇘𝒱1⇙ = []"
by auto
from t1_is_r1_v'_s1 Cons(10) have r1_Cv1_empty: "r1 ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1_is_r1_v'_s1 Cons(10) have s1_Cv1_empty: "s1 ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(4) t1_is_r1_v'_s1 have r1_in_E1star: "set r1 ⊆ E⇘ES1⇙"
by auto
have r1_in_Nv1star: "set r1 ⊆ N⇘𝒱1⇙"
proof -
note r1_in_E1star
moreover
from r1_Vv1_empty have "set r1 ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq
Int_commute Int_empty_right disjoint_eq_subset_Compl
list_subset_iff_projection_neutral projection_on_union)
moreover
from r1_Cv1_empty have "set r1 ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Diff_eq Int_commute Int_empty_right
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add:isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
qed
have r1E2_in_Nv1_inter_C2_star: "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) = set r1 ∩ E⇘ES2⇙"
by (simp add: projection_def, auto)
with r1_in_Nv1star have "set (r1 ↿ E⇘ES2⇙) ⊆ (E⇘ES2⇙ ∩ N⇘𝒱1⇙)"
by auto
moreover
from validV2 disjoint_Nv1_Vv2
have "E⇘ES2⇙ ∩ N⇘𝒱1⇙ = N⇘𝒱1⇙ ∩ C⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
note outerCons_prems = Cons.prems
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙) ⟹
∃ t2'. ( set t2' ⊆ E⇘ES2⇙
∧ ((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙
∧ t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙
∧ t2' ↿ C⇘𝒱2⇙ = [] )"
proof (induct "r1 ↿ E⇘ES2⇙" arbitrary: r1 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(10) outerCons_prems(4)
outerCons_prems(6) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE2: "xs = xs ↿ E⇘ES2⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES2⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ E⇘ES2⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by auto
with xs_is_xsE2 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t2''
where t2''_in_E2star: "set t2'' ⊆ E⇘ES2⇙"
and τ_xs_E2_t2''_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ t2'' ∈ Tr⇘ES2⇙"
and t2''Vv2_is_t2Vv2: "t2'' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2''Cv2_empty: "t2'' ↿ C⇘𝒱2⇙ = []"
by auto
have x_in_Cv2_inter_Nv1: "x ∈ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv2: "x ∈ C⇘𝒱2⇙"
by auto
moreover
note τ_xs_E2_t2''_in_Tr2 t2''Cv2_empty
moreover
have Adm: "(Adm 𝒱2 ρ2 Tr⇘ES2⇙ ((τ @ xs) ↿ E⇘ES2⇙) x)"
proof -
from τ_xs_E2_t2''_in_Tr2 validES2
have τ_xsE2_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv2_inter_Nv1 total_ES2_Cv2_inter_Nv1
have τ_xsE2_x_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] ∈ Tr⇘ES2⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2) = ((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA
ultimately obtain t2'
where res1: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2' ∈ Tr⇘ES2⇙"
and res2: "t2' ↿ V⇘𝒱2⇙ = t2'' ↿ V⇘𝒱2⇙"
and res3: "t2' ↿ C⇘𝒱2⇙ = []"
by (simp only: BSIA_def, blast)
have "set t2' ⊆ E⇘ES2⇙"
proof -
from res1 validES2 have "set (((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2') ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
proof -
from res1 xs_is_xsE2 have "((τ ↿ E⇘ES2⇙) @ (xs @ [x])) @ t2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t2''Vv2_is_t2Vv2 res2 have "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r1E2_in_Nv1_inter_C2_star] obtain t2'
where t2'_in_E2star: "set t2' ⊆ E⇘ES2⇙"
and τr1E2_t2'_in_Tr2: "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
and t2'_Vv2_is_t2_Vv2: "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2'_Cv2_empty: "t2' ↿ C⇘𝒱2⇙ = []"
by auto
let ?tau = "τ @ r1 @ [𝒱']"
from v'_in_E1 Cons(2) r1_in_Nv1star validV1 have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: composeES_def isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from Cons(4) t1_is_r1_v'_s1 have "set s1 ⊆ E⇘ES1⇙"
by auto
moreover
note t2'_in_E2star
moreover
have "?tau ↿ E⇘ES1⇙ @ s1 ∈ Tr⇘ES1⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(3) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(3) Cons.prems(5)
projection_concatenation_commute t1_is_r1_v'_s1)
moreover
from τr1E2_t2'_in_Tr2 v'_notin_E2
have "?tau ↿ E⇘ES2⇙ @ t2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
from Cons(8) t1_is_r1_v'_s1 r1_Vv_empty v'_in_E1 v'_in_Vv
have "lambda' ↿ E⇘ES1⇙ = s1 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(11) v'_notin_E2 t2'_Vv2_is_t2_Vv2
have "lambda' ↿ E⇘ES2⇙ = t2' ↿ V⇘𝒱⇙"
proof -
have "t2' ↿ V⇘𝒱⇙ = t2' ↿ V⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def projection_intersection_neutral
t2'_in_E2star)
moreover
have "t2 ↿ V⇘𝒱⇙ = t2 ↿ V⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def
projection_intersection_neutral Cons(5))
moreover
note Cons(9) v'_notin_E2 t2'_Vv2_is_t2_Vv2
ultimately show ?thesis
by (simp add: projection_def)
qed
moreover
note s1_Cv1_empty t2'_Cv2_empty
moreover
note Cons.hyps(1)[of ?tau s1 t2']
ultimately obtain t'
where tau_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r1 @ [𝒱'] @ t'"
note tau_t'_in_Tr
moreover
from r1_Vv_empty t'_Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
have "r1 ↿ C⇘𝒱⇙ = []"
proof -
from propSepViews have "E⇘ES1⇙ ∩ C⇘𝒱⇙ ⊆ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def by auto
from projection_on_subset[OF ‹E⇘ES1⇙ ∩ C⇘𝒱⇙ ⊆ C⇘𝒱1⇙› r1_Cv1_empty]
have "r1 ↿ (E⇘ES1⇙ ∩ C⇘𝒱⇙) = []"
by (simp only: Int_commute)
with projection_intersection_neutral[OF r1_in_E1star, of "C⇘𝒱⇙"] show ?thesis
by simp
qed
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add:isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
moreover {
assume v'_in_Vv2_minus_E1: "𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
hence v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
by auto
with v'_in_Vv have v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
using propSepViews unfolding properSeparationOfViews_def
by auto
from v'_in_Vv2_minus_E1 have v'_notin_E1: "𝒱' ∉ E⇘ES1⇙"
by (auto)
with validV1 have v'_notin_Vv1: "𝒱' ∉ V⇘𝒱1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
from Cons(4) Cons(5) Cons(9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r2 s2
where t2_is_r2_v'_s2: "t2 = r2 @ [𝒱'] @ s2"
and r2_Vv_empty: "r2 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱2⇙" "V⇘𝒱⇙" "r2"]
have r2_Vv2_empty: "r2 ↿ V⇘𝒱2⇙ = []"
by auto
from t2_is_r2_v'_s2 Cons(11) have r2_Cv2_empty: "r2 ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2_is_r2_v'_s2 Cons(11) have s2_Cv2_empty: "s2 ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(5) t2_is_r2_v'_s2 have r2_in_E2star: "set r2 ⊆ E⇘ES2⇙"
by auto
have r2_in_Nv2star: "set r2 ⊆ N⇘𝒱2⇙"
proof -
note r2_in_E2star
moreover
from r2_Vv2_empty have "set r2 ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r2_Cv2_empty have "set r2 ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
qed
with Nv2_inter_E1_empty have r2E1_empty: "r2 ↿ E⇘ES1⇙ = []"
by (metis Int_commute empty_subsetI projection_on_subset2 r2_Vv2_empty)
let ?tau = "τ @ r2 @ [𝒱']"
from v'_in_E2 Cons(2) r2_in_Nv2star validV2 have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: composeES_def isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
note Cons(4)
moreover
from Cons(5) t2_is_r2_v'_s2 have "set s2 ⊆ E⇘ES2⇙"
by auto
moreover
have "?tau ↿ E⇘ES1⇙ @ t1 ∈ Tr⇘ES1⇙"
proof -
from v'_notin_E1 have "[𝒱'] ↿ E⇘ES1⇙ = []"
by (simp add: projection_def)
with Cons(6) Cons(3) t2_is_r2_v'_s2 v'_notin_E1
r2_in_Nv2star Nv2_inter_E1_empty r2E1_empty
show ?thesis
by (simp only: t2_is_r2_v'_s2 list_subset_iff_projection_neutral
projection_concatenation_commute, auto)
qed
moreover
have "?tau ↿ E⇘ES2⇙ @ s2 ∈ Tr⇘ES2⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(4) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(4) Cons.prems(6)
projection_concatenation_commute t2_is_r2_v'_s2)
moreover
from Cons(8) v'_notin_E1 have "lambda' ↿ E⇘ES1⇙ = t1 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(9) t2_is_r2_v'_s2 r2_Vv_empty v'_in_E2 v'_in_Vv
have "lambda' ↿ E⇘ES2⇙ = s2 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
note Cons(10) s2_Cv2_empty
moreover
note Cons.hyps(1)[of ?tau t1 s2]
ultimately obtain t'
where tau_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r2 @ [𝒱'] @ t'"
note tau_t'_in_Tr
moreover
from r2_Vv_empty t'_Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
have "r2 ↿ C⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2
r2_Cv2_empty r2_in_E2star)
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
ultimately show ?thesis
by blast
qed
qed
}
thus ?thesis
by auto
qed
lemma generalized_zipping_lemma4:
"⟦ ∇⇘Γ1⇙ ⊆ E⇘ES1⇙; Δ⇘Γ1⇙ ⊆ E⇘ES1⇙; Υ⇘Γ1⇙ ⊆ E⇘ES1⇙; ∇⇘Γ2⇙ ⊆ E⇘ES2⇙; Δ⇘Γ2⇙ ⊆ E⇘ES2⇙; Υ⇘Γ2⇙ ⊆ E⇘ES2⇙;
BSIA ρ1 𝒱1 Tr⇘ES1⇙; BSIA ρ2 𝒱2 Tr⇘ES2⇙; total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙); total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙);
FCIA ρ1 Γ1 𝒱1 Tr⇘ES1⇙; FCIA ρ2 Γ2 𝒱2 Tr⇘ES2⇙; V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ⊆ ∇⇘Γ1⇙ ∪ ∇⇘Γ2⇙;
C⇘𝒱1⇙ ∩ N⇘𝒱2⇙ ⊆ Υ⇘Γ1⇙; C⇘𝒱2⇙ ∩ N⇘𝒱1⇙ ⊆ Υ⇘Γ2⇙;
N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {}; N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {} ⟧ ⟹
∀ τ lambda t1 t2. ( ( set τ ⊆ (E⇘(ES1 ∥ ES2)⇙) ∧ set lambda ⊆ V⇘𝒱⇙ ∧ set t1 ⊆ E⇘ES1⇙
∧ set t2 ⊆ E⇘ES2⇙ ∧ ((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙ ∧ ((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙
∧ (lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙) ∧ (lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙)
∧ (t1 ↿ C⇘𝒱1⇙) = [] ∧ (t2 ↿ C⇘𝒱2⇙) = [])
⟶ (∃t. ((τ @ t) ∈ (Tr⇘(ES1 ∥ ES2)⇙) ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = [])) )"
proof -
assume Nabla1_subsetof_E1: "∇⇘Γ1⇙ ⊆ E⇘ES1⇙"
and Delta1_subsetof_E1: "Δ⇘Γ1⇙ ⊆ E⇘ES1⇙"
and Upsilon1_subsetof_E1: "Υ⇘Γ1⇙ ⊆ E⇘ES1⇙"
and Nabla2_subsetof_E2: "∇⇘Γ2⇙ ⊆ E⇘ES2⇙"
and Delta2_subsetof_E2: "Δ⇘Γ2⇙ ⊆ E⇘ES2⇙"
and Upsilon2_subsetof_E2: "Υ⇘Γ2⇙ ⊆ E⇘ES2⇙"
and BSIA1: "BSIA ρ1 𝒱1 Tr⇘ES1⇙"
and BSIA2: "BSIA ρ2 𝒱2 Tr⇘ES2⇙"
and ES1_total_Cv1_inter_Nv2: "total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙)"
and ES2_total_Cv2_inter_Nv1: "total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙)"
and FCIA1: "FCIA ρ1 Γ1 𝒱1 Tr⇘ES1⇙"
and FCIA2: "FCIA ρ2 Γ2 𝒱2 Tr⇘ES2⇙"
and Vv1_inter_Vv2_subsetof_Nabla1_union_Nabla2: "V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ⊆ ∇⇘Γ1⇙ ∪ ∇⇘Γ2⇙"
and Cv1_inter_Nv2_subsetof_Upsilon1: "C⇘𝒱1⇙ ∩ N⇘𝒱2⇙ ⊆ Υ⇘Γ1⇙"
and Cv2_inter_Nv1_subsetof_Upsilon2: "C⇘𝒱2⇙ ∩ N⇘𝒱1⇙ ⊆ Υ⇘Γ2⇙"
and disjoint_Nv1_inter_Delta1_inter_E2: "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {}"
and disjoint_Nv2_inter_Delta2_inter_E1: "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {}"
{
fix τ lambda t1 t2
have "⟦ set τ ⊆ (E⇘(ES1 ∥ ES2)⇙);
set lambda ⊆ V⇘𝒱⇙;
set t1 ⊆ E⇘ES1⇙;
set t2 ⊆ E⇘ES2⇙;
((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙;
((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙;
(lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙);
(lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙);
(t1 ↿ C⇘𝒱1⇙) = [];
(t2 ↿ C⇘𝒱2⇙) = [] ⟧
⟹ (∃ t. ((τ @ t) ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = []))"
proof (induct lambda arbitrary: τ t1 t2)
case (Nil τ t1 t2)
have "(τ @ []) ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
have "τ ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from Nil(5) validES1 have "τ ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
from Nil(6) validES2 have "τ ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
moreover
note Nil(1)
ultimately show ?thesis
by (simp add: composeES_def)
qed
thus ?thesis
by auto
qed
moreover
have "([] ↿ V⇘𝒱⇙) = []"
by (simp add: projection_def)
moreover
have "([] ↿ C⇘𝒱⇙) = []"
by (simp add: projection_def)
ultimately show ?case
by blast
next
case (Cons 𝒱' lambda' τ t1 t2)
thus ?case
proof -
from Cons(3) have v'_in_Vv: "𝒱' ∈ V⇘𝒱⇙"
by auto
have "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ∩ ∇⇘Γ1⇙
∨ 𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ∩ ∇⇘Γ2⇙
∨ 𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙
∨ 𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
proof -
let ?S = "V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ∪ ( V⇘𝒱1⇙ - V⇘𝒱2⇙ ) ∪ ( V⇘𝒱2⇙ - V⇘𝒱1⇙ )"
have "V⇘𝒱1⇙ ∪ V⇘𝒱2⇙ = ?S"
by auto
moreover
have "V⇘𝒱1⇙ - V⇘𝒱2⇙ = V⇘𝒱1⇙ - E⇘ES2⇙"
and "V⇘𝒱2⇙ - V⇘𝒱1⇙ = V⇘𝒱2⇙ - E⇘ES1⇙"
using propSepViews unfolding properSeparationOfViews_def by auto
moreover
note Vv1_inter_Vv2_subsetof_Nabla1_union_Nabla2
Vv_is_Vv1_union_Vv2 v'_in_Vv
ultimately show ?thesis
by auto
qed
moreover
{
assume v'_in_Vv1_inter_Vv2_inter_Nabla1: "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ∩ ∇⇘Γ1⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙" and v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
and v'_in_Nabla2: "𝒱' ∈ ∇⇘Γ1⇙"
by auto
with v'_in_Vv
have v'_in_E1: "𝒱' ∈ E⇘ES1⇙" and v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
using propSepViews unfolding properSeparationOfViews_def by auto
from Cons(3-4) Cons(8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r1 s1
where t1_is_r1_v'_s1: "t1 = r1 @ [𝒱'] @ s1"
and r1_Vv_empty: "r1 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱1⇙" "V⇘𝒱⇙" "r1"]
have r1_Vv1_empty: "r1 ↿ V⇘𝒱1⇙ = []"
by auto
from t1_is_r1_v'_s1 Cons(10) have r1_Cv1_empty: "r1 ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1_is_r1_v'_s1 Cons(10) have s1_Cv1_empty: "s1 ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(4) t1_is_r1_v'_s1
have r1_in_E1star: "set r1 ⊆ E⇘ES1⇙" and s1_in_E1star: "set s1 ⊆ E⇘ES1⇙"
by auto
have r1_in_Nv1star: "set r1 ⊆ N⇘𝒱1⇙"
proof -
note r1_in_E1star
moreover
from r1_Vv1_empty have "set r1 ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r1_Cv1_empty have "set r1 ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r1E2_in_Nv1_inter_C2_star: "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) = set r1 ∩ E⇘ES2⇙"
by (simp add: projection_def, auto)
with r1_in_Nv1star have "set (r1 ↿ E⇘ES2⇙) ⊆ (E⇘ES2⇙ ∩ N⇘𝒱1⇙)"
by auto
moreover
from validV2 disjoint_Nv1_Vv2
have "E⇘ES2⇙ ∩ N⇘𝒱1⇙ = N⇘𝒱1⇙ ∩ C⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
with Cv2_inter_Nv1_subsetof_Upsilon2
have r1E2_in_Nv1_inter_C2_Upsilon2_star: "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
by auto
note outerCons_prems = Cons.prems
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙) ⟹
∃ t2'. ( set t2' ⊆ E⇘ES2⇙
∧ ((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙
∧ t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙
∧ t2' ↿ C⇘𝒱2⇙ = [] )"
proof (induct "r1 ↿ E⇘ES2⇙" arbitrary: r1 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(10)
outerCons_prems(4) outerCons_prems(6) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE2: "xs = xs ↿ E⇘ES2⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES2⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ E⇘ES2⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by auto
with xs_is_xsE2 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t2''
where t2''_in_E2star: "set t2'' ⊆ E⇘ES2⇙"
and τ_xs_E2_t2''_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ t2'' ∈ Tr⇘ES2⇙"
and t2''Vv2_is_t2Vv2: "t2'' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2''Cv2_empty: "t2'' ↿ C⇘𝒱2⇙ = []"
by auto
have x_in_Cv2_inter_Nv1: "x ∈ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv2: "x ∈ C⇘𝒱2⇙"
by auto
moreover
note τ_xs_E2_t2''_in_Tr2 t2''Cv2_empty
moreover
have Adm: "(Adm 𝒱2 ρ2 Tr⇘ES2⇙ ((τ @ xs) ↿ E⇘ES2⇙) x)"
proof -
from τ_xs_E2_t2''_in_Tr2 validES2
have τ_xsE2_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv2_inter_Nv1 ES2_total_Cv2_inter_Nv1
have τ_xsE2_x_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] ∈ Tr⇘ES2⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2) = ((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA2
ultimately obtain t2'
where res1: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2' ∈ Tr⇘ES2⇙"
and res2: "t2' ↿ V⇘𝒱2⇙ = t2'' ↿ V⇘𝒱2⇙"
and res3: "t2' ↿ C⇘𝒱2⇙ = []"
by (simp only: BSIA_def, blast)
have "set t2' ⊆ E⇘ES2⇙"
proof -
from res1 validES2 have "set (((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2') ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
proof -
from res1 xs_is_xsE2 have "((τ ↿ E⇘ES2⇙) @ (xs @ [x])) @ t2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t2''Vv2_is_t2Vv2 res2 have "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r1E2_in_Nv1_inter_C2_star] obtain t2'
where t2'_in_E2star: "set t2' ⊆ E⇘ES2⇙"
and τr1E2_t2'_in_Tr2: "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
and t2'_Vv2_is_t2_Vv2: "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2'_Cv2_empty: "t2' ↿ C⇘𝒱2⇙ = []"
by auto
have "t2' ↿ V⇘𝒱2⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
proof -
from projection_intersection_neutral[OF Cons(5), of "V⇘𝒱⇙"]
have "t2 ↿ V⇘𝒱⇙ = t2 ↿ V⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp only: Int_commute)
with Cons(9) t2'_Vv2_is_t2_Vv2 v'_in_E2 show ?thesis
by (simp add: projection_def)
qed
from projection_split_first[OF this] obtain r2' s2'
where t2'_is_r2'_v'_s2': "t2' = r2' @ [𝒱'] @ s2'"
and r2'_Vv2_empty: "r2' ↿ V⇘𝒱2⇙ = []"
by auto
from t2'_is_r2'_v'_s2' t2'_Cv2_empty have r2'_Cv2_empty: "r2' ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2'_is_r2'_v'_s2' t2'_Cv2_empty have s2'_Cv2_empty: "s2' ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from t2'_in_E2star t2'_is_r2'_v'_s2' have r2'_in_E2star: "set r2' ⊆ E⇘ES2⇙"
by auto
have r2'_in_Nv2star: "set r2' ⊆ N⇘𝒱2⇙"
proof -
note r2'_in_E2star
moreover
from r2'_Vv2_empty have "set r2' ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r2'_Cv2_empty have "set r2' ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r2'E1_in_Nv2_inter_C1_star: "set (r2' ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2' ↿ E⇘ES1⇙) = set r2' ∩ E⇘ES1⇙"
by (simp add: projection_def, auto)
with r2'_in_Nv2star have "set (r2' ↿ E⇘ES1⇙) ⊆ (E⇘ES1⇙ ∩ N⇘𝒱2⇙)"
by auto
moreover
from validV1 disjoint_Nv2_Vv1
have "E⇘ES1⇙ ∩ N⇘𝒱2⇙ = N⇘𝒱2⇙ ∩ C⇘𝒱1⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
with Cv1_inter_Nv2_subsetof_Upsilon1
have r2'E1_in_Nv2_inter_Cv1_Upsilon1_star:
"set (r2' ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
by auto
have "set (r2' ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) ⟹
∃ s1' q1'. (
set s1' ⊆ E⇘ES1⇙ ∧ set q1' ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ (τ ↿ E⇘ES1⇙) @ r1 @ q1' @ [𝒱'] @ s1' ∈ Tr⇘ES1⇙
∧ q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = r2' ↿ E⇘ES1⇙
∧ s1' ↿ V⇘𝒱1⇙ = s1 ↿ V⇘𝒱1⇙
∧ s1' ↿ C⇘𝒱1⇙ = [])"
proof (induct "r2' ↿ E⇘ES1⇙" arbitrary: r2' rule: rev_induct)
case Nil
note s1_in_E1star
moreover
have "set [] ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from outerCons_prems(5) t1_is_r1_v'_s1
have "τ ↿ E⇘ES1⇙ @ r1 @ [] @ [𝒱'] @ s1 ∈ Tr⇘ES1⇙"
by auto
moreover
from Nil have "[] ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = r2' ↿ E⇘ES1⇙"
by (simp add: projection_def)
moreover
have "s1 ↿ V⇘𝒱1⇙ = s1 ↿ V⇘𝒱1⇙"..
moreover
note s1_Cv1_empty
ultimately show ?case
by blast
next
case (snoc x xs)
have xs_is_xsE1: "xs = xs ↿ E⇘ES1⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES1⇙"
by (simp add: projection_def, auto)
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES1⇙) ⊆ N⇘𝒱2⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ N⇘𝒱2⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by simp
with xs_is_xsE1 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain s1'' q1''
where s1''_in_E1star: "set s1'' ⊆ E⇘ES1⇙"
and q1''_in_C1_inter_Upsilon1_inter_Delta1: "set q1'' ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and τE1_r1_q1''_v'_s1''_in_Tr1: "(τ ↿ E⇘ES1⇙ @ r1 @ q1'') @ [𝒱'] @ s1'' ∈ Tr⇘ES1⇙"
and q1''C1_Upsilon1_is_xsE1: "q1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = xs ↿ E⇘ES1⇙"
and s1''V1_is_s1V1: "s1'' ↿ V⇘𝒱1⇙ = s1 ↿ V⇘𝒱1⇙"
and s1''C1_empty: "s1'' ↿ C⇘𝒱1⇙ = []"
by auto
have x_in_Cv1_inter_Upsilon1: "x ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
and x_in_Cv1_inter_Nv2: "x ∈ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
by simp
thus "x ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
and "x ∈ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙"
by auto
qed
with validV1 have x_in_E1: "x ∈ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
note x_in_Cv1_inter_Upsilon1
moreover
from v'_in_Vv1_inter_Vv2_inter_Nabla1 have "𝒱' ∈ V⇘𝒱1⇙ ∩ ∇⇘Γ1⇙"
by auto
moreover
note τE1_r1_q1''_v'_s1''_in_Tr1 s1''C1_empty
moreover
have Adm: "(Adm 𝒱1 ρ1 Tr⇘ES1⇙ (τ ↿ E⇘ES1⇙ @ r1 @ q1'') x)"
proof -
from τE1_r1_q1''_v'_s1''_in_Tr1 validES1
have "(τ ↿ E⇘ES1⇙ @ r1 @ q1'') ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv1_inter_Nv2 ES1_total_Cv1_inter_Nv2
have "(τ ↿ E⇘ES1⇙ @ r1 @ q1'') @ [x] ∈ Tr⇘ES1⇙"
by (simp only: total_def)
moreover
have "(τ ↿ E⇘ES1⇙ @ r1 @ q1'') ↿ (ρ1 𝒱1) = (τ ↿ E⇘ES1⇙ @ r1 @ q1'') ↿ (ρ1 𝒱1)" ..
ultimately show ?thesis
by (simp only: Adm_def, blast)
qed
moreover
note FCIA1
ultimately
obtain s1' γ'
where res1: "(set γ') ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
and res2: "((τ ↿ E⇘ES1⇙ @ r1 @ q1'') @ [x] @ γ' @ [𝒱'] @ s1') ∈ Tr⇘ES1⇙"
and res3: "(s1' ↿ V⇘𝒱1⇙) = (s1'' ↿ V⇘𝒱1⇙)"
and res4: "s1' ↿ C⇘𝒱1⇙ = []"
unfolding FCIA_def
by blast
let ?q1' = "q1'' @ [x] @ γ'"
from res2 validES1 have "set s1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from res1 x_in_Cv1_inter_Upsilon1 q1''_in_C1_inter_Upsilon1_inter_Delta1
have "set ?q1' ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from res2 have "τ ↿ E⇘ES1⇙ @ r1 @ ?q1' @ [𝒱'] @ s1' ∈ Tr⇘ES1⇙"
by auto
moreover
have "?q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = r2' ↿ E⇘ES1⇙"
proof -
from validV1 res1 have "γ' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = []"
proof -
from res1 have "γ' = γ' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by (simp only: list_subset_iff_projection_neutral)
hence "γ' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = γ' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
by simp
hence "γ' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = γ' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
by (simp only: projection_def, auto)
moreover
from validV1 have "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ = {}"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by (simp add: projection_def)
qed
hence "?q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = (q1'' @ [x]) ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
by (simp only: projection_concatenation_commute, auto)
with q1''C1_Upsilon1_is_xsE1 x_in_Cv1_inter_Upsilon1
have "?q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = (xs ↿ E⇘ES1⇙) @ [x]"
by (simp only: projection_concatenation_commute projection_def, auto)
with xs_is_xsE1 snoc(2) show ?thesis
by simp
qed
moreover
from res3 s1''V1_is_s1V1 have "s1' ↿ V⇘𝒱1⇙ = s1 ↿ V⇘𝒱1⇙"
by simp
moreover
note res4
ultimately show ?case
by blast
qed
from this[OF r2'E1_in_Nv2_inter_Cv1_Upsilon1_star] obtain s1' q1'
where s1'_in_E1star: "set s1' ⊆ E⇘ES1⇙"
and q1'_in_Cv1_inter_Upsilon1_union_Nv1_inter_Delta1:
"set q1' ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and τE1_r1_q1'_v'_s1'_in_Tr1: "(τ ↿ E⇘ES1⇙) @ r1 @ q1' @ [𝒱'] @ s1' ∈ Tr⇘ES1⇙"
and q1'Cv1_inter_Upsilon1_is_r2'E1: "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = r2' ↿ E⇘ES1⇙"
and s1'Vv1_is_s1_Vv1: "s1' ↿ V⇘𝒱1⇙ = s1 ↿ V⇘𝒱1⇙"
and s1'Cv1_empty: "s1' ↿ C⇘𝒱1⇙ = []"
by auto
from q1'_in_Cv1_inter_Upsilon1_union_Nv1_inter_Delta1 validV1
have q1'_in_E1star: "set q1' ⊆ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
have r2'Cv_empty: "r2' ↿ C⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2
r2'_Cv2_empty r2'_in_E2star)
from validES1 τE1_r1_q1'_v'_s1'_in_Tr1
have q1'_in_E1star: "set q1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
note r2'_in_E2star
moreover
have q1'E2_is_r2'E1: "q1' ↿ E⇘ES2⇙ = r2' ↿ E⇘ES1⇙"
proof -
from q1'_in_Cv1_inter_Upsilon1_union_Nv1_inter_Delta1
have "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) = q1'"
by (simp add: list_subset_iff_projection_neutral)
hence "(q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)) ↿ E⇘ES2⇙ = q1' ↿ E⇘ES2⇙"
by simp
hence "q1' ↿ ((C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ∩ E⇘ES2⇙) = q1' ↿ E⇘ES2⇙"
by (simp add: projection_def)
hence "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ E⇘ES2⇙) = q1' ↿ E⇘ES2⇙"
by (simp only: Int_Un_distrib2 disjoint_Nv1_inter_Delta1_inter_E2, auto)
moreover
from q1'Cv1_inter_Upsilon1_is_r2'E1
have "(q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)) ↿ E⇘ES2⇙ = (r2' ↿ E⇘ES1⇙) ↿ E⇘ES2⇙"
by simp
hence "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ E⇘ES2⇙) = (r2' ↿ E⇘ES2⇙) ↿ E⇘ES1⇙"
by (simp add: projection_def conj_commute)
with r2'_in_E2star have "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ E⇘ES2⇙) = r2' ↿ E⇘ES1⇙"
by (simp only: list_subset_iff_projection_neutral)
ultimately show ?thesis
by auto
qed
moreover
have "q1' ↿ V⇘𝒱⇙ = []"
proof -
from q1'_in_Cv1_inter_Upsilon1_union_Nv1_inter_Delta1
have "q1' = q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by (simp add: list_subset_iff_projection_neutral)
moreover
from q1'_in_E1star have "q1' = q1' ↿ E⇘ES1⇙"
by (simp add: list_subset_iff_projection_neutral)
ultimately have "q1' = q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ E⇘ES1⇙"
by simp
hence "q1' ↿ V⇘𝒱⇙ = q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ E⇘ES1⇙ ↿ V⇘𝒱⇙"
by simp
hence "q1' ↿ V⇘𝒱⇙ = q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ (V⇘𝒱⇙ ∩ E⇘ES1⇙)"
by (simp add: Int_commute projection_def)
hence "q1' ↿ V⇘𝒱⇙ = q1' ↿ ((C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ∩ V⇘𝒱1⇙)"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def)
hence "q1' ↿ V⇘𝒱⇙ = q1' ↿ (V⇘𝒱1⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ V⇘𝒱1⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by (simp add: Int_Un_distrib2, metis Int_assoc Int_commute Int_left_commute Un_commute)
with validV1 show ?thesis
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto, simp add: projection_def)
qed
moreover
have "r2' ↿ V⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral
r2'_Vv2_empty r2'_in_E2star)
moreover
have q1'Cv_empty: "q1' ↿ C⇘𝒱⇙ = []"
proof -
from q1'_in_E1star have foo: "q1' = q1' ↿ E⇘ES1⇙"
by (simp add: list_subset_iff_projection_neutral)
hence "q1' ↿ C⇘𝒱⇙ = q1' ↿ (C⇘𝒱⇙ ∩ E⇘ES1⇙)"
by (metis Int_commute list_subset_iff_projection_neutral projection_intersection_neutral)
moreover
from propSepViews have "C⇘𝒱⇙ ∩ E⇘ES1⇙⊆C⇘𝒱1⇙"
unfolding properSeparationOfViews_def by auto
from projection_subset_elim[OF ‹C⇘𝒱⇙ ∩ E⇘ES1⇙⊆C⇘𝒱1⇙›, of q1']
have "q1' ↿ C⇘𝒱1⇙ ↿ C⇘𝒱⇙ ↿ E⇘ES1⇙ = q1' ↿ (C⇘𝒱⇙ ∩ E⇘ES1⇙)"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def)
hence "q1' ↿ E⇘ES1⇙ ↿ C⇘𝒱1⇙ ↿ C⇘𝒱⇙ = q1' ↿ (C⇘𝒱⇙ ∩ E⇘ES1⇙)"
by (simp add: projection_commute)
with foo have "q1' ↿ (C⇘𝒱1⇙ ∩ C⇘𝒱⇙) = q1' ↿ (C⇘𝒱⇙ ∩ E⇘ES1⇙)"
by (simp add: projection_def)
moreover
from q1'_in_Cv1_inter_Upsilon1_union_Nv1_inter_Delta1
have "q1' ↿ (C⇘𝒱1⇙ ∩ C⇘𝒱⇙) = q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ (C⇘𝒱1⇙ ∩ C⇘𝒱⇙)"
by (simp add: list_subset_iff_projection_neutral)
moreover
have "(C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ∩ (C⇘𝒱1⇙ ∩ C⇘𝒱⇙)
= (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ∩ C⇘𝒱⇙"
by fast
hence "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ (C⇘𝒱1⇙ ∩ C⇘𝒱⇙)
= q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ C⇘𝒱⇙"
by (simp add: projection_sequence)
moreover
from validV1
have "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ C⇘𝒱⇙
= q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) ↿ C⇘𝒱⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def Int_commute)
moreover
from q1'Cv1_inter_Upsilon1_is_r2'E1
have "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) ↿ C⇘𝒱⇙ = r2' ↿ E⇘ES1⇙ ↿ C⇘𝒱⇙"
by simp
with projection_on_intersection[OF r2'Cv_empty]
have "q1' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) ↿ C⇘𝒱⇙ = []"
by (simp add: Int_commute projection_def)
ultimately show ?thesis
by auto
qed
moreover
note r2'Cv_empty merge_property'[of q1' r2']
ultimately obtain q'
where q'E1_is_q1': "q' ↿ E⇘ES1⇙ = q1'"
and q'E2_is_r2': "q' ↿ E⇘ES2⇙ = r2'"
and q'V_empty: "q' ↿ V⇘𝒱⇙ = []"
and q'C_empty: "q' ↿ C⇘𝒱⇙ = []"
and q'_in_E1_union_E2_star: "set q' ⊆ (E⇘ES1⇙ ∪ E⇘ES2⇙)"
unfolding Let_def
by auto
let ?tau = "τ @ r1 @ q' @ [𝒱']"
from Cons(2) r1_in_E1star q'_in_E1_union_E2_star v'_in_E1
have "set ?tau ⊆ (E⇘(ES1 ∥ ES2)⇙)"
by (simp add: composeES_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
note s1'_in_E1star
moreover
from t2'_in_E2star t2'_is_r2'_v'_s2' have "set s2' ⊆ E⇘ES2⇙"
by simp
moreover
from q'E1_is_q1' r1_in_E1star v'_in_E1 q1'_in_E1star τE1_r1_q1'_v'_s1'_in_Tr1
have "?tau ↿ E⇘ES1⇙ @ s1' ∈ Tr⇘ES1⇙"
by (simp only: list_subset_iff_projection_neutral
projection_concatenation_commute projection_def, auto)
moreover
from τr1E2_t2'_in_Tr2 t2'_is_r2'_v'_s2' v'_in_E2 q'E2_is_r2'
have "?tau ↿ E⇘ES2⇙ @ s2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
have "lambda' ↿ E⇘ES1⇙ = s1' ↿ V⇘𝒱⇙"
proof -
from Cons(3-4) Cons(8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
moreover
from t1_is_r1_v'_s1 r1_Vv_empty v'_in_Vv1 Vv_is_Vv1_union_Vv2
have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (s1 ↿ V⇘𝒱⇙)"
by (simp only: t1_is_r1_v'_s1 projection_concatenation_commute
projection_def, auto)
moreover
have "s1 ↿ V⇘𝒱⇙ = s1' ↿ V⇘𝒱⇙"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral
s1'Vv1_is_s1_Vv1 s1'_in_E1star s1_in_E1star)
ultimately show ?thesis
by auto
qed
moreover
have "lambda' ↿ E⇘ES2⇙ = s2' ↿ V⇘𝒱⇙"
proof -
from Cons(3,5,9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
moreover
from t2'_is_r2'_v'_s2' r2'_Vv2_empty r2'_in_E2star v'_in_Vv2 propSepViews
have "t2' ↿ V⇘𝒱⇙ = [𝒱'] @ (s2' ↿ V⇘𝒱⇙)"
proof -
have "r2' ↿ V⇘𝒱⇙ =[]"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2 r2'_Vv2_empty
r2'_in_E2star subset_iff_psubset_eq)
with t2'_is_r2'_v'_s2' v'_in_Vv2 Vv_is_Vv1_union_Vv2 show ?thesis
by (simp only: t2'_is_r2'_v'_s2'
projection_concatenation_commute projection_def, auto)
qed
moreover
have "t2 ↿ V⇘𝒱⇙ = t2' ↿ V⇘𝒱⇙"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute outerCons_prems(4)
projection_intersection_neutral t2'_Vv2_is_t2_Vv2 t2'_in_E2star)
ultimately show ?thesis
by auto
qed
moreover
note s1'Cv1_empty s2'_Cv2_empty Cons.hyps[of ?tau s1' s2']
ultimately obtain t'
where τ_r1_q'_v'_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r1 @ q' @ [𝒱'] @ t'"
note τ_r1_q'_v'_t'_in_Tr
moreover
from r1_Vv_empty q'V_empty t'Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by(simp only: projection_concatenation_commute projection_def, auto)
moreover
from VIsViewOnE r1_Cv1_empty t'Cv_empty q'C_empty v'_in_Vv
have "?t ↿ C⇘𝒱⇙ = []"
proof -
from VIsViewOnE v'_in_Vv have "[𝒱'] ↿ C⇘𝒱⇙ = []"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def projection_def, auto)
moreover
from r1_in_E1star r1_Cv1_empty
have "r1 ↿ C⇘𝒱⇙ = []"
using propSepViews projection_on_subset2
unfolding properSeparationOfViews_def by auto
moreover
note t'Cv_empty q'C_empty
ultimately show ?thesis
by (simp only: projection_concatenation_commute, auto)
qed
ultimately have ?thesis
by auto
}
moreover
{
assume v'_in_Vv1_inter_Vv2_inter_Nabla2: "𝒱' ∈ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ∩ ∇⇘Γ2⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙" and v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
and v'_in_Nabla2: "𝒱' ∈ ∇⇘Γ2⇙"
by auto
with v'_in_Vv propSepViews
have v'_in_E1: "𝒱' ∈ E⇘ES1⇙" and v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
unfolding properSeparationOfViews_def by auto
from Cons(3,5,9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r2 s2
where t2_is_r2_v'_s2: "t2 = r2 @ [𝒱'] @ s2"
and r2_Vv_empty: "r2 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱2⇙" "V⇘𝒱⇙" "r2"]
have r2_Vv2_empty: "r2 ↿ V⇘𝒱2⇙ = []"
by auto
from t2_is_r2_v'_s2 Cons(11) have r2_Cv2_empty: "r2 ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2_is_r2_v'_s2 Cons(11) have s2_Cv2_empty: "s2 ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(5) t2_is_r2_v'_s2 have r2_in_E2star: "set r2 ⊆ E⇘ES2⇙"
and s2_in_E2star: "set s2 ⊆ E⇘ES2⇙"
by auto
have r2_in_Nv2star: "set r2 ⊆ N⇘𝒱2⇙"
proof -
note r2_in_E2star
moreover
from r2_Vv2_empty have "set r2 ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r2_Cv2_empty have "set r2 ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r2E1_in_Nv2_inter_C1_star: "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) = set r2 ∩ E⇘ES1⇙"
by (simp add: projection_def, auto)
with r2_in_Nv2star have "set (r2 ↿ E⇘ES1⇙) ⊆ (E⇘ES1⇙ ∩ N⇘𝒱2⇙)"
by auto
moreover
from validV1 disjoint_Nv2_Vv1 propSepViews
have "E⇘ES1⇙ ∩ N⇘𝒱2⇙ = N⇘𝒱2⇙ ∩ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
with Cv1_inter_Nv2_subsetof_Upsilon1
have r2E1_in_Nv2_inter_C1_Upsilon1_star: "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
by auto
note outerCons_prems = Cons.prems
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙) ⟹
∃ t1'. ( set t1' ⊆ E⇘ES1⇙
∧ ((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙
∧ t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙
∧ t1' ↿ C⇘𝒱1⇙ = [] )"
proof (induct "r2 ↿ E⇘ES1⇙" arbitrary: r2 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(9) outerCons_prems(3)
outerCons_prems(5) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE1: "xs = xs ↿ E⇘ES1⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES1⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ E⇘ES1⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by auto
with xs_is_xsE1 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t1''
where t1''_in_E1star: "set t1'' ⊆ E⇘ES1⇙"
and τ_xs_E1_t1''_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ t1'' ∈ Tr⇘ES1⇙"
and t1''Vv1_is_t1Vv1: "t1'' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1''Cv1_empty: "t1'' ↿ C⇘𝒱1⇙ = []"
by auto
have x_in_Cv1_inter_Nv2: "x ∈ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv1: "x ∈ C⇘𝒱1⇙"
by auto
moreover
note τ_xs_E1_t1''_in_Tr1 t1''Cv1_empty
moreover
have Adm: "(Adm 𝒱1 ρ1 Tr⇘ES1⇙ ((τ @ xs) ↿ E⇘ES1⇙) x)"
proof -
from τ_xs_E1_t1''_in_Tr1 validES1
have τ_xsE1_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv1_inter_Nv2 ES1_total_Cv1_inter_Nv2
have τ_xsE1_x_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] ∈ Tr⇘ES1⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1) = ((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA1
ultimately obtain t1'
where res1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1' ∈ Tr⇘ES1⇙"
and res2: "t1' ↿ V⇘𝒱1⇙ = t1'' ↿ V⇘𝒱1⇙"
and res3: "t1' ↿ C⇘𝒱1⇙ = []"
by (simp only: BSIA_def, blast)
have "set t1' ⊆ E⇘ES1⇙"
proof -
from res1 validES1 have "set (((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1') ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
proof -
from res1 xs_is_xsE1 have "((τ ↿ E⇘ES1⇙) @ (xs @ [x])) @ t1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t1''Vv1_is_t1Vv1 res2 have "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r2E1_in_Nv2_inter_C1_star] obtain t1'
where t1'_in_E1star: "set t1' ⊆ E⇘ES1⇙"
and τr2E1_t1'_in_Tr1: "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
and t1'_Vv1_is_t1_Vv1: "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1'_Cv1_empty: "t1' ↿ C⇘𝒱1⇙ = []"
by auto
have "t1' ↿ V⇘𝒱1⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
proof -
from projection_intersection_neutral[OF Cons(4), of "V⇘𝒱⇙"] propSepViews
have "t1 ↿ V⇘𝒱⇙ = t1 ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (simp only: Int_commute)
with Cons(8) t1'_Vv1_is_t1_Vv1 v'_in_E1 show ?thesis
by (simp add: projection_def)
qed
from projection_split_first[OF this] obtain r1' s1'
where t1'_is_r1'_v'_s1': "t1' = r1' @ [𝒱'] @ s1'"
and r1'_Vv1_empty: "r1' ↿ V⇘𝒱1⇙ = []"
by auto
from t1'_is_r1'_v'_s1' t1'_Cv1_empty have r1'_Cv1_empty: "r1' ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1'_is_r1'_v'_s1' t1'_Cv1_empty have s1'_Cv1_empty: "s1' ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from t1'_in_E1star t1'_is_r1'_v'_s1' have r1'_in_E1star: "set r1' ⊆ E⇘ES1⇙"
by auto
have r1'_in_Nv1star: "set r1' ⊆ N⇘𝒱1⇙"
proof -
note r1'_in_E1star
moreover
from r1'_Vv1_empty have "set r1' ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r1'_Cv1_empty have "set r1' ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r1'E2_in_Nv1_inter_C2_star: "set (r1' ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1' ↿ E⇘ES2⇙) = set r1' ∩ E⇘ES2⇙"
by (simp add: projection_def, auto)
with r1'_in_Nv1star have "set (r1' ↿ E⇘ES2⇙) ⊆ (E⇘ES2⇙ ∩ N⇘𝒱1⇙)"
by auto
moreover
from validV2 propSepViews disjoint_Nv1_Vv2
have "E⇘ES2⇙ ∩ N⇘𝒱1⇙ = N⇘𝒱1⇙ ∩ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
with Cv2_inter_Nv1_subsetof_Upsilon2
have r1'E2_in_Nv1_inter_Cv2_Upsilon2_star:
"set (r1' ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
by auto
have "set (r1' ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) ⟹
∃ s2' q2'. (
set s2' ⊆ E⇘ES2⇙ ∧ set q2' ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙
∧ (τ ↿ E⇘ES2⇙) @ r2 @ q2' @ [𝒱'] @ s2' ∈ Tr⇘ES2⇙
∧ q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = r1' ↿ E⇘ES2⇙
∧ s2' ↿ V⇘𝒱2⇙ = s2 ↿ V⇘𝒱2⇙
∧ s2' ↿ C⇘𝒱2⇙ = [])"
proof (induct "r1' ↿ E⇘ES2⇙" arbitrary: r1' rule: rev_induct)
case Nil
note s2_in_E2star
moreover
have "set [] ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from outerCons_prems(6) t2_is_r2_v'_s2
have "τ ↿ E⇘ES2⇙ @ r2 @ [] @ [𝒱'] @ s2 ∈ Tr⇘ES2⇙"
by auto
moreover
from Nil have "[] ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = r1' ↿ E⇘ES2⇙"
by (simp add: projection_def)
moreover
have "s2 ↿ V⇘𝒱2⇙ = s2 ↿ V⇘𝒱2⇙"..
moreover
note s2_Cv2_empty
ultimately show ?case
by blast
next
case (snoc x xs)
have xs_is_xsE2: "xs = xs ↿ E⇘ES2⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES2⇙"
by (simp add: projection_def, auto)
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES2⇙) ⊆ N⇘𝒱1⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ N⇘𝒱1⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by simp
with xs_is_xsE2 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain s2'' q2''
where s2''_in_E2star: "set s2'' ⊆ E⇘ES2⇙"
and q2''_in_C2_inter_Upsilon2_inter_Delta2: "set q2'' ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and τE2_r2_q2''_v'_s2''_in_Tr2: "(τ ↿ E⇘ES2⇙ @ r2 @ q2'') @ [𝒱'] @ s2'' ∈ Tr⇘ES2⇙"
and q2''C2_Upsilon2_is_xsE2: "q2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = xs ↿ E⇘ES2⇙"
and s2''V2_is_s2V2: "s2'' ↿ V⇘𝒱2⇙ = s2 ↿ V⇘𝒱2⇙"
and s2''C2_empty: "s2'' ↿ C⇘𝒱2⇙ = []"
by auto
have x_in_Cv2_inter_Upsilon2: "x ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
and x_in_Cv2_inter_Nv1: "x ∈ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
by simp
thus "x ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
and "x ∈ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙"
by auto
qed
with validV2 have x_in_E2: "x ∈ E⇘ES2⇙"
by (simp add:isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
note x_in_Cv2_inter_Upsilon2
moreover
from v'_in_Vv1_inter_Vv2_inter_Nabla2 have "𝒱' ∈ V⇘𝒱2⇙ ∩ ∇⇘Γ2⇙"
by auto
moreover
note τE2_r2_q2''_v'_s2''_in_Tr2 s2''C2_empty
moreover
have Adm: "(Adm 𝒱2 ρ2 Tr⇘ES2⇙ (τ ↿ E⇘ES2⇙ @ r2 @ q2'') x)"
proof -
from τE2_r2_q2''_v'_s2''_in_Tr2 validES2
have "(τ ↿ E⇘ES2⇙ @ r2 @ q2'') ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv2_inter_Nv1 ES2_total_Cv2_inter_Nv1
have "(τ ↿ E⇘ES2⇙ @ r2 @ q2'') @ [x] ∈ Tr⇘ES2⇙"
by (simp only: total_def)
moreover
have "(τ ↿ E⇘ES2⇙ @ r2 @ q2'') ↿ (ρ2 𝒱2) = (τ ↿ E⇘ES2⇙ @ r2 @ q2'') ↿ (ρ2 𝒱2)" ..
ultimately show ?thesis
by (simp only: Adm_def, blast)
qed
moreover
note FCIA2
ultimately
obtain s2' γ'
where res1: "(set γ') ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
and res2: "((τ ↿ E⇘ES2⇙ @ r2 @ q2'') @ [x] @ γ' @ [𝒱'] @ s2') ∈ Tr⇘ES2⇙"
and res3: "(s2' ↿ V⇘𝒱2⇙) = (s2'' ↿ V⇘𝒱2⇙)"
and res4: "s2' ↿ C⇘𝒱2⇙ = []"
unfolding FCIA_def
by blast
let ?q2' = "q2'' @ [x] @ γ'"
from res2 validES2 have "set s2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from res1 x_in_Cv2_inter_Upsilon2 q2''_in_C2_inter_Upsilon2_inter_Delta2
have "set ?q2' ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from res2 have "τ ↿ E⇘ES2⇙ @ r2 @ ?q2' @ [𝒱'] @ s2' ∈ Tr⇘ES2⇙"
by auto
moreover
have "?q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = r1' ↿ E⇘ES2⇙"
proof -
from validV2 res1 have "γ' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = []"
proof -
from res1 have "γ' = γ' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by (simp only: list_subset_iff_projection_neutral)
hence "γ' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = γ' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
by simp
hence "γ' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = γ' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
by (simp only: projection_def, auto)
moreover
from validV2 have "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ = {}"
by (simp add:isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by (simp add: projection_def)
qed
hence "?q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = (q2'' @ [x]) ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
by (simp only: projection_concatenation_commute, auto)
with q2''C2_Upsilon2_is_xsE2 x_in_Cv2_inter_Upsilon2
have "?q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = (xs ↿ E⇘ES2⇙) @ [x]"
by (simp only: projection_concatenation_commute projection_def, auto)
with xs_is_xsE2 snoc(2) show ?thesis
by simp
qed
moreover
from res3 s2''V2_is_s2V2 have "s2' ↿ V⇘𝒱2⇙ = s2 ↿ V⇘𝒱2⇙"
by simp
moreover
note res4
ultimately show ?case
by blast
qed
from this[OF r1'E2_in_Nv1_inter_Cv2_Upsilon2_star] obtain s2' q2'
where s2'_in_E2star: "set s2' ⊆ E⇘ES2⇙"
and q2'_in_Cv2_inter_Upsilon2_union_Nv2_inter_Delta2:
"set q2' ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and τE2_r2_q2'_v'_s2'_in_Tr2: "(τ ↿ E⇘ES2⇙) @ r2 @ q2' @ [𝒱'] @ s2' ∈ Tr⇘ES2⇙"
and q2'Cv2_inter_Upsilon2_is_r1'E2: "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = r1' ↿ E⇘ES2⇙"
and s2'Vv2_is_s2_Vv2: "s2' ↿ V⇘𝒱2⇙ = s2 ↿ V⇘𝒱2⇙"
and s2'Cv2_empty: "s2' ↿ C⇘𝒱2⇙ = []"
by auto
from q2'_in_Cv2_inter_Upsilon2_union_Nv2_inter_Delta2 validV2
have q2'_in_E2star: "set q2' ⊆ E⇘ES2⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
have r1'Cv_empty: "r1' ↿ C⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2
r1'_Cv1_empty r1'_in_E1star)
from validES2 τE2_r2_q2'_v'_s2'_in_Tr2
have q2'_in_E2star: "set q2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
note r1'_in_E1star
moreover
have q2'E1_is_r1'E2: "q2' ↿ E⇘ES1⇙ = r1' ↿ E⇘ES2⇙"
proof -
from q2'_in_Cv2_inter_Upsilon2_union_Nv2_inter_Delta2
have "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) = q2'"
by (simp add: list_subset_iff_projection_neutral)
hence "(q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)) ↿ E⇘ES1⇙ = q2' ↿ E⇘ES1⇙"
by simp
hence "q2' ↿ ((C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ∩ E⇘ES1⇙) = q2' ↿ E⇘ES1⇙"
by (simp add: projection_def)
hence "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ E⇘ES1⇙) = q2' ↿ E⇘ES1⇙"
by (simp only: Int_Un_distrib2 disjoint_Nv2_inter_Delta2_inter_E1, auto)
moreover
from q2'Cv2_inter_Upsilon2_is_r1'E2
have "(q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)) ↿ E⇘ES1⇙ = (r1' ↿ E⇘ES2⇙) ↿ E⇘ES1⇙"
by simp
hence "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ E⇘ES1⇙) = (r1' ↿ E⇘ES1⇙) ↿ E⇘ES2⇙"
by (simp add: projection_def conj_commute)
with r1'_in_E1star have "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ E⇘ES1⇙) = r1' ↿ E⇘ES2⇙"
by (simp only: list_subset_iff_projection_neutral)
ultimately show ?thesis
by auto
qed
moreover
have "q2' ↿ V⇘𝒱⇙ = []"
proof -
from q2'_in_Cv2_inter_Upsilon2_union_Nv2_inter_Delta2
have "q2' = q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by (simp add: list_subset_iff_projection_neutral)
moreover
from q2'_in_E2star have "q2' = q2' ↿ E⇘ES2⇙"
by (simp add: list_subset_iff_projection_neutral)
ultimately have "q2' = q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ E⇘ES2⇙"
by simp
hence "q2' ↿ V⇘𝒱⇙ = q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ E⇘ES2⇙ ↿ V⇘𝒱⇙"
by simp
hence "q2' ↿ V⇘𝒱⇙ = q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ (V⇘𝒱⇙ ∩ E⇘ES2⇙)"
by (simp add: Int_commute projection_def)
with propSepViews
have "q2' ↿ V⇘𝒱⇙ = q2' ↿ ((C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ∩ V⇘𝒱2⇙)"
unfolding properSeparationOfViews_def
by (simp add: projection_def)
hence "q2' ↿ V⇘𝒱⇙ = q2' ↿ (V⇘𝒱2⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ V⇘𝒱2⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by (simp add: Int_Un_distrib2, metis Int_assoc
Int_commute Int_left_commute Un_commute)
with validV2 show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto, simp add: projection_def)
qed
moreover
have "r1' ↿ V⇘𝒱⇙ = []"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral
r1'_Vv1_empty r1'_in_E1star)
moreover
have q2'Cv_empty: "q2' ↿ C⇘𝒱⇙ = []"
proof -
from q2'_in_E2star have foo: "q2' = q2' ↿ E⇘ES2⇙"
by (simp add: list_subset_iff_projection_neutral)
hence "q2' ↿ C⇘𝒱⇙ = q2' ↿ (C⇘𝒱⇙ ∩ E⇘ES2⇙)"
by (metis Int_commute list_subset_iff_projection_neutral
projection_intersection_neutral)
moreover
from propSepViews have "C⇘𝒱⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
from projection_subset_elim[OF ‹C⇘𝒱⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙›, of q2']
have "q2' ↿ C⇘𝒱2⇙ ↿ C⇘𝒱⇙ ↿ E⇘ES2⇙ = q2' ↿ (C⇘𝒱⇙ ∩ E⇘ES2⇙)"
by (simp add: projection_def)
hence "q2' ↿ E⇘ES2⇙ ↿ C⇘𝒱2⇙ ↿ C⇘𝒱⇙ = q2' ↿ (C⇘𝒱⇙ ∩ E⇘ES2⇙)"
by (simp add: projection_commute)
with foo have "q2' ↿ (C⇘𝒱2⇙ ∩ C⇘𝒱⇙) = q2' ↿ (C⇘𝒱⇙ ∩ E⇘ES2⇙)"
by (simp add: projection_def)
moreover
from q2'_in_Cv2_inter_Upsilon2_union_Nv2_inter_Delta2
have "q2' ↿ (C⇘𝒱2⇙ ∩ C⇘𝒱⇙) = q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ (C⇘𝒱2⇙ ∩ C⇘𝒱⇙)"
by (simp add: list_subset_iff_projection_neutral)
moreover
have "(C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ∩ (C⇘𝒱2⇙ ∩ C⇘𝒱⇙)
= (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ∩ C⇘𝒱⇙"
by fast
hence "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ (C⇘𝒱2⇙ ∩ C⇘𝒱⇙)
= q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ C⇘𝒱⇙"
by (simp add: projection_sequence)
moreover
from validV2
have "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ C⇘𝒱⇙
= q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) ↿ C⇘𝒱⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def Int_commute)
moreover
from q2'Cv2_inter_Upsilon2_is_r1'E2
have "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) ↿ C⇘𝒱⇙ = r1' ↿ E⇘ES2⇙ ↿ C⇘𝒱⇙"
by simp
with projection_on_intersection[OF r1'Cv_empty] have "q2' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) ↿ C⇘𝒱⇙ = []"
by (simp add: Int_commute projection_def)
ultimately show ?thesis
by auto
qed
moreover
note r1'Cv_empty merge_property'[of r1' q2']
ultimately obtain q'
where q'E2_is_q2': "q' ↿ E⇘ES2⇙ = q2'"
and q'E1_is_r1': "q' ↿ E⇘ES1⇙ = r1'"
and q'V_empty: "q' ↿ V⇘𝒱⇙ = []"
and q'C_empty: "q' ↿ C⇘𝒱⇙ = []"
and q'_in_E1_union_E2_star: "set q' ⊆ (E⇘ES1⇙ ∪ E⇘ES2⇙)"
unfolding Let_def
by auto
let ?tau = "τ @ r2 @ q' @ [𝒱']"
from Cons(2) r2_in_E2star q'_in_E1_union_E2_star v'_in_E2
have "set ?tau ⊆ (E⇘(ES1 ∥ ES2)⇙)"
by (simp add: composeES_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from t1'_in_E1star t1'_is_r1'_v'_s1' have "set s1' ⊆ E⇘ES1⇙"
by simp
moreover
note s2'_in_E2star
moreover
from τr2E1_t1'_in_Tr1 t1'_is_r1'_v'_s1' v'_in_E1 q'E1_is_r1'
have "?tau ↿ E⇘ES1⇙ @ s1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
from q'E2_is_q2' r2_in_E2star v'_in_E2 q2'_in_E2star τE2_r2_q2'_v'_s2'_in_Tr2
have "?tau ↿ E⇘ES2⇙ @ s2' ∈ Tr⇘ES2⇙"
by (simp only: list_subset_iff_projection_neutral
projection_concatenation_commute projection_def, auto)
moreover
have "lambda' ↿ E⇘ES1⇙ = s1' ↿ V⇘𝒱⇙"
proof -
from Cons(2,4,8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
moreover
from t1'_is_r1'_v'_s1' r1'_Vv1_empty r1'_in_E1star
v'_in_Vv1 propSepViews
have "t1' ↿ V⇘𝒱⇙ = [𝒱'] @ (s1' ↿ V⇘𝒱⇙)"
proof -
have "r1' ↿ V⇘𝒱⇙ =[]"
using propSepViews unfolding properSeparationOfViews_def
by (metis projection_on_subset2 r1'_Vv1_empty
r1'_in_E1star subset_iff_psubset_eq)
with t1'_is_r1'_v'_s1' v'_in_Vv1 Vv_is_Vv1_union_Vv2 show ?thesis
by (simp only: t1'_is_r1'_v'_s1' projection_concatenation_commute
projection_def, auto)
qed
moreover
have "t1 ↿ V⇘𝒱⇙ = t1' ↿ V⇘𝒱⇙"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute outerCons_prems(3)
projection_intersection_neutral t1'_Vv1_is_t1_Vv1 t1'_in_E1star)
ultimately show ?thesis
by auto
qed
moreover
have "lambda' ↿ E⇘ES2⇙ = s2' ↿ V⇘𝒱⇙"
proof -
from Cons(3,5,9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
moreover
from t2_is_r2_v'_s2 r2_Vv_empty v'_in_Vv2 Vv_is_Vv1_union_Vv2
have "t2 ↿ V⇘𝒱⇙ = [𝒱'] @ (s2 ↿ V⇘𝒱⇙)"
by (simp only: t2_is_r2_v'_s2 projection_concatenation_commute
projection_def, auto)
moreover
have "s2 ↿ V⇘𝒱⇙ = s2' ↿ V⇘𝒱⇙"
using propSepViews unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral
s2'Vv2_is_s2_Vv2 s2'_in_E2star s2_in_E2star)
ultimately show ?thesis
by auto
qed
moreover
note s1'_Cv1_empty s2'Cv2_empty Cons.hyps[of ?tau s1' s2']
ultimately obtain t'
where τ_r2_q'_v'_t'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r2 @ q' @ [𝒱'] @ t'"
note τ_r2_q'_v'_t'_in_Tr
moreover
from r2_Vv_empty q'V_empty t'Vv_is_lambda' v'_in_Vv
have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by(simp only: projection_concatenation_commute projection_def, auto)
moreover
from VIsViewOnE r2_Cv2_empty t'Cv_empty q'C_empty v'_in_Vv
have "?t ↿ C⇘𝒱⇙ = []"
proof -
from VIsViewOnE v'_in_Vv have "[𝒱'] ↿ C⇘𝒱⇙ = []"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def projection_def, auto)
moreover
from r2_in_E2star r2_Cv2_empty
have "r2 ↿ C⇘𝒱⇙ = []"
using propSepViews projection_on_subset2 unfolding properSeparationOfViews_def
by auto
moreover
note t'Cv_empty q'C_empty
ultimately show ?thesis
by (simp only: projection_concatenation_commute, auto)
qed
ultimately have ?thesis
by auto
}
moreover
{
assume v'_in_Vv1_minus_E2: "𝒱' ∈ V⇘𝒱1⇙ - E⇘ES2⇙"
hence v'_in_Vv1: "𝒱' ∈ V⇘𝒱1⇙"
by auto
with v'_in_Vv have v'_in_E1: "𝒱' ∈ E⇘ES1⇙"
using propSepViews unfolding properSeparationOfViews_def
by auto
from v'_in_Vv1_minus_E2 have v'_notin_E2: "𝒱' ∉ E⇘ES2⇙"
by auto
with validV2 have v'_notin_Vv2: "𝒱' ∉ V⇘𝒱2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
from Cons(3-4) Cons(8) v'_in_E1 have "t1 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES1⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r1 s1
where t1_is_r1_v'_s1: "t1 = r1 @ [𝒱'] @ s1"
and r1_Vv_empty: "r1 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱1⇙" "V⇘𝒱⇙" "r1"]
have r1_Vv1_empty: "r1 ↿ V⇘𝒱1⇙ = []"
by auto
from t1_is_r1_v'_s1 Cons(10) have r1_Cv1_empty: "r1 ↿ C⇘𝒱1⇙ = []"
by (simp add: projection_concatenation_commute)
from t1_is_r1_v'_s1 Cons(10) have s1_Cv1_empty: "s1 ↿ C⇘𝒱1⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(4) t1_is_r1_v'_s1 have r1_in_E1star: "set r1 ⊆ E⇘ES1⇙"
by auto
have r1_in_Nv1star: "set r1 ⊆ N⇘𝒱1⇙"
proof -
note r1_in_E1star
moreover
from r1_Vv1_empty have "set r1 ∩ V⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r1_Cv1_empty have "set r1 ∩ C⇘𝒱1⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV1
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r1E2_in_Nv1_inter_C2_star: "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) = set r1 ∩ E⇘ES2⇙"
by (simp add: projection_def, auto)
with r1_in_Nv1star have "set (r1 ↿ E⇘ES2⇙) ⊆ (E⇘ES2⇙ ∩ N⇘𝒱1⇙)"
by auto
moreover
from validV2 disjoint_Nv1_Vv2
have "E⇘ES2⇙ ∩ N⇘𝒱1⇙ = N⇘𝒱1⇙ ∩ C⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
with Cv2_inter_Nv1_subsetof_Upsilon2
have r1E2_in_Nv1_inter_C2_Upsilon2_star: "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
by auto
note outerCons_prems = Cons.prems
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙) ⟹
∃ t2'. ( set t2' ⊆ E⇘ES2⇙
∧ ((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙
∧ t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙
∧ t2' ↿ C⇘𝒱2⇙ = [] )"
proof (induct "r1 ↿ E⇘ES2⇙" arbitrary: r1 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(10) outerCons_prems(4)
outerCons_prems(6) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE2: "xs = xs ↿ E⇘ES2⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES2⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ (E⇘ES2⇙)"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
proof -
have "set (r1 ↿ E⇘ES2⇙) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by auto
with xs_is_xsE2 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t2''
where t2''_in_E2star: "set t2'' ⊆ E⇘ES2⇙"
and τ_xs_E2_t2''_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ t2'' ∈ Tr⇘ES2⇙"
and t2''Vv2_is_t2Vv2: "t2'' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2''Cv2_empty: "t2'' ↿ C⇘𝒱2⇙ = []"
by auto
have x_in_Cv2_inter_Nv1: "x ∈ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱1⇙ ∩ C⇘𝒱2⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv2: "x ∈ C⇘𝒱2⇙"
by auto
moreover
note τ_xs_E2_t2''_in_Tr2 t2''Cv2_empty
moreover
have Adm: "(Adm 𝒱2 ρ2 Tr⇘ES2⇙ ((τ @ xs) ↿ E⇘ES2⇙) x)"
proof -
from τ_xs_E2_t2''_in_Tr2 validES2
have τ_xsE2_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv2_inter_Nv1 ES2_total_Cv2_inter_Nv1
have τ_xsE2_x_in_Tr2: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] ∈ Tr⇘ES2⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2) = ((τ @ xs) ↿ E⇘ES2⇙) ↿ (ρ2 𝒱2)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA2
ultimately obtain t2'
where res1: "((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2' ∈ Tr⇘ES2⇙"
and res2: "t2' ↿ V⇘𝒱2⇙ = t2'' ↿ V⇘𝒱2⇙"
and res3: "t2' ↿ C⇘𝒱2⇙ = []"
by (simp only: BSIA_def, blast)
have "set t2' ⊆ E⇘ES2⇙"
proof -
from res1 validES2 have "set (((τ @ xs) ↿ E⇘ES2⇙) @ [x] @ t2') ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
proof -
from res1 xs_is_xsE2 have "((τ ↿ E⇘ES2⇙) @ (xs @ [x])) @ t2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t2''Vv2_is_t2Vv2 res2 have "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r1E2_in_Nv1_inter_C2_star] obtain t2'
where t2'_in_E2star: "set t2' ⊆ E⇘ES2⇙"
and τr1E2_t2'_in_Tr2: "((τ @ r1) ↿ E⇘ES2⇙) @ t2' ∈ Tr⇘ES2⇙"
and t2'_Vv2_is_t2_Vv2: "t2' ↿ V⇘𝒱2⇙ = t2 ↿ V⇘𝒱2⇙"
and t2'_Cv2_empty: "t2' ↿ C⇘𝒱2⇙ = []"
by auto
let ?tau = "τ @ r1 @ [𝒱']"
from v'_in_E1 Cons(2) r1_in_Nv1star validV1 have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: isViewOn_def composeES_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from Cons(4) t1_is_r1_v'_s1 have "set s1 ⊆ E⇘ES1⇙"
by auto
moreover
note t2'_in_E2star
moreover
have "?tau ↿ E⇘ES1⇙ @ s1 ∈ Tr⇘ES1⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(3) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(3) Cons.prems(5)
projection_concatenation_commute t1_is_r1_v'_s1)
moreover
from τr1E2_t2'_in_Tr2 v'_notin_E2 have "?tau ↿ E⇘ES2⇙ @ t2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
from Cons(8) t1_is_r1_v'_s1 r1_Vv_empty v'_in_E1 v'_in_Vv have "lambda' ↿ E⇘ES1⇙ = s1 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(9) v'_notin_E2 t2'_Vv2_is_t2_Vv2 have "lambda' ↿ E⇘ES2⇙ = t2' ↿ V⇘𝒱⇙"
proof -
have "t2' ↿ V⇘𝒱⇙ = t2' ↿ V⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def projection_intersection_neutral t2'_in_E2star)
moreover
have "t2 ↿ V⇘𝒱⇙ = t2 ↿ V⇘𝒱2⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def projection_intersection_neutral Cons(5))
moreover
note Cons(9) v'_notin_E2 t2'_Vv2_is_t2_Vv2
ultimately show ?thesis
by (simp add: projection_def)
qed
moreover
note s1_Cv1_empty t2'_Cv2_empty
moreover
note Cons.hyps(1)[of ?tau s1 t2']
ultimately obtain t'
where τr1v't'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r1 @ [𝒱'] @ t'"
note τr1v't'_in_Tr
moreover
from r1_Vv_empty t'_Vv_is_lambda' v'_in_Vv have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
have "r1 ↿ C⇘𝒱⇙ = []"
proof -
from propSepViews have "E⇘ES1⇙ ∩ C⇘𝒱⇙ ⊆ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def by auto
from projection_on_subset[OF ‹E⇘ES1⇙ ∩ C⇘𝒱⇙ ⊆ C⇘𝒱1⇙› r1_Cv1_empty]
have "r1 ↿ (E⇘ES1⇙ ∩ C⇘𝒱⇙) = []"
by (simp only: Int_commute)
with projection_intersection_neutral[OF r1_in_E1star, of "C⇘𝒱⇙"] show ?thesis
by simp
qed
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
moreover
{
assume v'_in_Vv2_minus_E1: "𝒱' ∈ V⇘𝒱2⇙ - E⇘ES1⇙"
hence v'_in_Vv2: "𝒱' ∈ V⇘𝒱2⇙"
by auto
with v'_in_Vv propSepViews have v'_in_E2: "𝒱' ∈ E⇘ES2⇙"
unfolding properSeparationOfViews_def
by auto
from v'_in_Vv2_minus_E1 have v'_notin_E1: "𝒱' ∉ E⇘ES1⇙"
by auto
with validV1 have v'_notin_Vv1: "𝒱' ∉ V⇘𝒱1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
from Cons(3) Cons(5) Cons(9) v'_in_E2 have "t2 ↿ V⇘𝒱⇙ = 𝒱' # (lambda' ↿ E⇘ES2⇙)"
by (simp add: projection_def)
from projection_split_first[OF this] obtain r2 s2
where t2_is_r2_v'_s2: "t2 = r2 @ [𝒱'] @ s2"
and r2_Vv_empty: "r2 ↿ V⇘𝒱⇙ = []"
by auto
with Vv_is_Vv1_union_Vv2 projection_on_subset[of "V⇘𝒱2⇙" "V⇘𝒱⇙" "r2"]
have r2_Vv2_empty: "r2 ↿ V⇘𝒱2⇙ = []"
by auto
from t2_is_r2_v'_s2 Cons(11) have r2_Cv2_empty: "r2 ↿ C⇘𝒱2⇙ = []"
by (simp add: projection_concatenation_commute)
from t2_is_r2_v'_s2 Cons(11) have s2_Cv2_empty: "s2 ↿ C⇘𝒱2⇙ = []"
by (simp only: projection_concatenation_commute, auto)
from Cons(5) t2_is_r2_v'_s2 have r2_in_E2star: "set r2 ⊆ E⇘ES2⇙"
by auto
have r2_in_Nv2star: "set r2 ⊆ N⇘𝒱2⇙"
proof -
note r2_in_E2star
moreover
from r2_Vv2_empty have "set r2 ∩ V⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
from r2_Cv2_empty have "set r2 ∩ C⇘𝒱2⇙ = {}"
by (metis Compl_Diff_eq Diff_cancel Un_upper2
disjoint_eq_subset_Compl list_subset_iff_projection_neutral
projection_on_union)
moreover
note validV2
ultimately show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
qed
have r2E1_in_Nv2_inter_C1_star: "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) = set r2 ∩ E⇘ES1⇙"
by (simp add: projection_def, auto)
with r2_in_Nv2star have "set (r2 ↿ E⇘ES1⇙) ⊆ (E⇘ES1⇙ ∩ N⇘𝒱2⇙)"
by auto
moreover
from validV1 propSepViews disjoint_Nv2_Vv1
have "E⇘ES1⇙ ∩ N⇘𝒱2⇙ = N⇘𝒱2⇙ ∩ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by auto
qed
with Cv1_inter_Nv2_subsetof_Upsilon1
have r2E1_in_Nv2_inter_C1_Upsilon1_star: "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
by auto
note outerCons_prems = Cons.prems
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙) ⟹
∃ t1'. ( set t1' ⊆ E⇘ES1⇙
∧ ((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙
∧ t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙
∧ t1' ↿ C⇘𝒱1⇙ = [] )"
proof (induct "r2 ↿ E⇘ES1⇙" arbitrary: r2 rule: rev_induct)
case Nil thus ?case
by (metis append_self_conv outerCons_prems(9) outerCons_prems(3)
outerCons_prems(5) projection_concatenation_commute)
next
case (snoc x xs)
have xs_is_xsE1: "xs = xs ↿ E⇘ES1⇙"
proof -
from snoc(2) have "set (xs @ [x]) ⊆ E⇘ES1⇙"
by (simp add: projection_def, auto)
hence "set xs ⊆ E⇘ES1⇙"
by auto
thus ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "set (xs ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
proof -
have "set (r2 ↿ E⇘ES1⇙) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by (metis Int_commute snoc.prems)
with snoc(2) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
hence "set xs ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by auto
with xs_is_xsE1 show ?thesis
by auto
qed
moreover
note snoc.hyps(1)[of xs]
ultimately obtain t1''
where t1''_in_E1star: "set t1'' ⊆ E⇘ES1⇙"
and τ_xs_E1_t1''_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ t1'' ∈ Tr⇘ES1⇙"
and t1''Vv1_is_t1Vv1: "t1'' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1''Cv1_empty: "t1'' ↿ C⇘𝒱1⇙ = []"
by auto
have x_in_Cv1_inter_Nv2: "x ∈ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙"
proof -
from snoc(2-3) have "set (xs @ [x]) ⊆ (N⇘𝒱2⇙ ∩ C⇘𝒱1⇙)"
by simp
thus ?thesis
by auto
qed
hence x_in_Cv1: "x ∈ C⇘𝒱1⇙"
by auto
moreover
note τ_xs_E1_t1''_in_Tr1 t1''Cv1_empty
moreover
have Adm: "(Adm 𝒱1 ρ1 Tr⇘ES1⇙ ((τ @ xs) ↿ E⇘ES1⇙) x)"
proof -
from τ_xs_E1_t1''_in_Tr1 validES1
have τ_xsE1_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
with x_in_Cv1_inter_Nv2 ES1_total_Cv1_inter_Nv2
have τ_xsE1_x_in_Tr1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] ∈ Tr⇘ES1⇙"
by (simp only: total_def)
moreover
have "((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1) = ((τ @ xs) ↿ E⇘ES1⇙) ↿ (ρ1 𝒱1)" ..
ultimately show ?thesis
by (simp add: Adm_def, auto)
qed
moreover note BSIA1
ultimately obtain t1'
where res1: "((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1' ∈ Tr⇘ES1⇙"
and res2: "t1' ↿ V⇘𝒱1⇙ = t1'' ↿ V⇘𝒱1⇙"
and res3: "t1' ↿ C⇘𝒱1⇙ = []"
by (simp only: BSIA_def, blast)
have "set t1' ⊆ E⇘ES1⇙"
proof -
from res1 validES1 have "set (((τ @ xs) ↿ E⇘ES1⇙) @ [x] @ t1') ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
thus ?thesis
by auto
qed
moreover
have "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
proof -
from res1 xs_is_xsE1 have "((τ ↿ E⇘ES1⇙) @ (xs @ [x])) @ t1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by (simp only: snoc(2) projection_concatenation_commute)
qed
moreover
from t1''Vv1_is_t1Vv1 res2 have "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
by auto
moreover
note res3
ultimately show ?case
by auto
qed
from this[OF r2E1_in_Nv2_inter_C1_star] obtain t1'
where t1'_in_E1star: "set t1' ⊆ E⇘ES1⇙"
and τr2E1_t1'_in_Tr1: "((τ @ r2) ↿ E⇘ES1⇙) @ t1' ∈ Tr⇘ES1⇙"
and t1'_Vv1_is_t1_Vv1: "t1' ↿ V⇘𝒱1⇙ = t1 ↿ V⇘𝒱1⇙"
and t1'_Cv1_empty: "t1' ↿ C⇘𝒱1⇙ = []"
by auto
let ?tau = "τ @ r2 @ [𝒱']"
from v'_in_E2 Cons(2) r2_in_Nv2star validV2 have "set ?tau ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp only: composeES_def isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
moreover
from Cons(3) have "set lambda' ⊆ V⇘𝒱⇙"
by auto
moreover
from Cons(5) t2_is_r2_v'_s2 have "set s2 ⊆ E⇘ES2⇙"
by auto
moreover
note t1'_in_E1star
moreover
have "?tau ↿ E⇘ES2⇙ @ s2 ∈ Tr⇘ES2⇙"
by (metis Cons_eq_appendI append_eq_appendI calculation(3) eq_Nil_appendI
list_subset_iff_projection_neutral Cons.prems(4) Cons.prems(6)
projection_concatenation_commute t2_is_r2_v'_s2)
moreover
from τr2E1_t1'_in_Tr1 v'_notin_E1 have "?tau ↿ E⇘ES1⇙ @ t1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
from Cons(9) t2_is_r2_v'_s2 r2_Vv_empty v'_in_E2 v'_in_Vv
have "lambda' ↿ E⇘ES2⇙ = s2 ↿ V⇘𝒱⇙"
by (simp add: projection_def)
moreover
from Cons(10) v'_notin_E1 t1'_Vv1_is_t1_Vv1
have "lambda' ↿ E⇘ES1⇙ = t1' ↿ V⇘𝒱⇙"
proof -
have "t1' ↿ V⇘𝒱⇙ = t1' ↿ V⇘𝒱1⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def projection_intersection_neutral t1'_in_E1star)
moreover
have "t1 ↿ V⇘𝒱⇙ = t1 ↿ V⇘𝒱1⇙"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: projection_def, metis Int_commute
projection_def projection_intersection_neutral Cons(4))
moreover
note Cons(8) v'_notin_E1 t1'_Vv1_is_t1_Vv1
ultimately show ?thesis
by (simp add: projection_def)
qed
moreover
note s2_Cv2_empty t1'_Cv1_empty
moreover
note Cons.hyps(1)[of ?tau t1' s2]
ultimately obtain t'
where τr2v't'_in_Tr: "?tau @ t' ∈ Tr⇘(ES1 ∥ ES2)⇙"
and t'_Vv_is_lambda': "t' ↿ V⇘𝒱⇙ = lambda'"
and t'_Cv_empty: "t' ↿ C⇘𝒱⇙ = []"
by auto
let ?t = "r2 @ [𝒱'] @ t'"
note τr2v't'_in_Tr
moreover
from r2_Vv_empty t'_Vv_is_lambda' v'_in_Vv have "?t ↿ V⇘𝒱⇙ = 𝒱' # lambda'"
by (simp add: projection_def)
moreover
have "?t ↿ C⇘𝒱⇙ = []"
proof -
have "r2 ↿ C⇘𝒱⇙ = []"
proof -
from propSepViews have "E⇘ES2⇙ ∩ C⇘𝒱⇙ ⊆ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
from projection_on_subset[OF ‹E⇘ES2⇙ ∩ C⇘𝒱⇙ ⊆ C⇘𝒱2⇙› r2_Cv2_empty]
have "r2 ↿ (E⇘ES2⇙ ∩ C⇘𝒱⇙) = []"
by (simp only: Int_commute)
with projection_intersection_neutral[OF r2_in_E2star, of "C⇘𝒱⇙"] show ?thesis
by simp
qed
with v'_in_Vv VIsViewOnE t'_Cv_empty show ?thesis
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def projection_def, auto)
qed
ultimately have ?thesis
by auto
}
ultimately show ?thesis
by blast
qed
qed
}
thus ?thesis
by auto
qed
lemma generalized_zipping_lemma:
"∀ τ lambda t1 t2. ( ( set τ ⊆ E⇘(ES1 ∥ ES2)⇙
∧ set lambda ⊆ V⇘𝒱⇙ ∧ set t1 ⊆ E⇘ES1⇙ ∧ set t2 ⊆ E⇘ES2⇙
∧ ((τ ↿ E⇘ES1⇙) @ t1) ∈ Tr⇘ES1⇙ ∧ ((τ ↿ E⇘ES2⇙) @ t2) ∈ Tr⇘ES2⇙
∧ (lambda ↿ E⇘ES1⇙) = (t1 ↿ V⇘𝒱⇙) ∧ (lambda ↿ E⇘ES2⇙) = (t2 ↿ V⇘𝒱⇙)
∧ (t1 ↿ C⇘𝒱1⇙) = [] ∧ (t2 ↿ C⇘𝒱2⇙) = [])
⟶ (∃t. ((τ @ t) ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ (t ↿ V⇘𝒱⇙) = lambda ∧ (t ↿ C⇘𝒱⇙) = [])) )"
proof -
note well_behaved_composition
moreover {
assume "N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {}"
with generalized_zipping_lemma1 have ?thesis
by auto
}
moreover {
assume "∃ ρ1. N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {} ∧ total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙) ∧ BSIA ρ1 𝒱1 Tr⇘ES1⇙"
then obtain ρ1 where "N⇘𝒱1⇙ ∩ E⇘ES2⇙ = {} ∧ total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙) ∧ BSIA ρ1 𝒱1 Tr⇘ES1⇙"
by auto
with generalized_zipping_lemma2[of ρ1] have ?thesis
by auto
}
moreover {
assume "∃ ρ2. N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {} ∧ total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙) ∧ BSIA ρ2 𝒱2 Tr⇘ES2⇙"
then obtain ρ2 where "N⇘𝒱2⇙ ∩ E⇘ES1⇙ = {} ∧ total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙) ∧ BSIA ρ2 𝒱2 Tr⇘ES2⇙"
by auto
with generalized_zipping_lemma3[of ρ2] have ?thesis
by auto
}
moreover {
assume "∃ ρ1 ρ2 Γ1 Γ2. ( ∇⇘Γ1⇙ ⊆ E⇘ES1⇙ ∧ Δ⇘Γ1⇙ ⊆ E⇘ES1⇙ ∧ Υ⇘Γ1⇙ ⊆ E⇘ES1⇙
∧ ∇⇘Γ2⇙ ⊆ E⇘ES2⇙ ∧ Δ⇘Γ2⇙ ⊆ E⇘ES2⇙ ∧ Υ⇘Γ2⇙ ⊆ E⇘ES2⇙
∧ BSIA ρ1 𝒱1 Tr⇘ES1⇙ ∧ BSIA ρ2 𝒱2 Tr⇘ES2⇙
∧ total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙) ∧ total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙)
∧ FCIA ρ1 Γ1 𝒱1 Tr⇘ES1⇙ ∧ FCIA ρ2 Γ2 𝒱2 Tr⇘ES2⇙
∧ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ⊆ ∇⇘Γ1⇙ ∪ ∇⇘Γ2⇙
∧ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙ ⊆ Υ⇘Γ1⇙ ∧ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙ ⊆ Υ⇘Γ2⇙
∧ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {} )"
then obtain ρ1 ρ2 Γ1 Γ2 where "∇⇘Γ1⇙ ⊆ E⇘ES1⇙ ∧ Δ⇘Γ1⇙ ⊆ E⇘ES1⇙ ∧ Υ⇘Γ1⇙ ⊆ E⇘ES1⇙
∧ ∇⇘Γ2⇙ ⊆ E⇘ES2⇙ ∧ Δ⇘Γ2⇙ ⊆ E⇘ES2⇙ ∧ Υ⇘Γ2⇙ ⊆ E⇘ES2⇙
∧ BSIA ρ1 𝒱1 Tr⇘ES1⇙ ∧ BSIA ρ2 𝒱2 Tr⇘ES2⇙
∧ total ES1 (C⇘𝒱1⇙ ∩ N⇘𝒱2⇙) ∧ total ES2 (C⇘𝒱2⇙ ∩ N⇘𝒱1⇙)
∧ FCIA ρ1 Γ1 𝒱1 Tr⇘ES1⇙ ∧ FCIA ρ2 Γ2 𝒱2 Tr⇘ES2⇙
∧ V⇘𝒱1⇙ ∩ V⇘𝒱2⇙ ⊆ ∇⇘Γ1⇙ ∪ ∇⇘Γ2⇙
∧ C⇘𝒱1⇙ ∩ N⇘𝒱2⇙ ⊆ Υ⇘Γ1⇙ ∧ C⇘𝒱2⇙ ∩ N⇘𝒱1⇙ ⊆ Υ⇘Γ2⇙
∧ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {}"
by auto
with generalized_zipping_lemma4[of Γ1 Γ2 ρ1 ρ2] have ?thesis
by auto
}
ultimately show ?thesis unfolding wellBehavedComposition_def
by blast
qed
end
end
Theory CompositionalityResults
theory CompositionalityResults
imports GeneralizedZippingLemma CompositionSupport
begin
context Compositionality
begin
theorem compositionality_BSD:
"⟦ BSD 𝒱1 Tr⇘ES1⇙; BSD 𝒱2 Tr⇘ES2⇙ ⟧ ⟹ BSD 𝒱 Tr⇘(ES1 ∥ ES2)⇙"
proof -
assume BSD_Tr1_v1: "BSD 𝒱1 Tr⇘ES1⇙"
assume BSD_Tr2_v2: "BSD 𝒱2 Tr⇘ES2⇙"
{
fix α β c
assume c_in_Cv: "c ∈ C⇘𝒱⇙"
assume βcα_in_Tr: "(β @ [c] @ α) ∈ Tr⇘(ES1 ∥ ES2)⇙"
assume α_contains_no_c: "α ↿ C⇘𝒱⇙ = []"
interpret CSES1: CompositionSupport "ES1" "𝒱" "𝒱1"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES1 validV1)
interpret CSES2: CompositionSupport "ES2" "𝒱" "𝒱2"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES2 validV2)
from βcα_in_Tr
have βcα_E1_in_Tr1: "((β @ [c] @ α) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
and βcα_E2_in_Tr2: "((β @ [c] @ α) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (auto, simp add: composeES_def)+
from composeES_yields_ES validES1 validES2 have "ES_valid (ES1 ∥ ES2)"
by auto
with βcα_in_Tr have "set β ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set (α ↿ V⇘𝒱⇙) ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
have "(α ↿ V⇘𝒱⇙) ↿ V⇘𝒱⇙ = (α ↿ V⇘𝒱⇙)"
by (simp add: projection_def)
moreover
from CSES1.BSD_in_subsystem[OF c_in_Cv βcα_E1_in_Tr1 BSD_Tr1_v1]
obtain α1'
where α1'_1: "((β ↿ E⇘ES1⇙) @ α1') ∈ Tr⇘ES1⇙"
and α1'_2: "(α1' ↿ V⇘𝒱1⇙) = (α ↿ V⇘𝒱1⇙)"
and "α1' ↿ C⇘𝒱1⇙ = []"
by auto
moreover
from α1'_1 validES1 have α1'_in_E1: "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from α1'_2 propSepViews have "((α ↿ V⇘𝒱⇙) ↿ E⇘ES1⇙) = (α1' ↿ V⇘𝒱⇙)"
proof -
have "((α ↿ V⇘𝒱⇙) ↿ E⇘ES1⇙) = α ↿ (V⇘𝒱⇙ ∩ E⇘ES1⇙)"
by (simp only: projection_def, auto)
with propSepViews have "((α ↿ V⇘𝒱⇙) ↿ E⇘ES1⇙) = (α ↿ V⇘𝒱1⇙)"
unfolding properSeparationOfViews_def by auto
moreover
from α1'_2 have "(α1' ↿ V⇘𝒱1⇙) = (α1' ↿ V⇘𝒱⇙)"
proof -
from α1'_in_E1 have "α1' ↿ E⇘ES1⇙ = α1'"
by (simp add: list_subset_iff_projection_neutral)
hence "(α1' ↿ E⇘ES1⇙) ↿ V⇘𝒱⇙ = α1' ↿ V⇘𝒱⇙"
by simp
with Vv_is_Vv1_union_Vv2 have "(α1' ↿ E⇘ES1⇙) ↿ (V⇘𝒱1⇙ ∪ V⇘𝒱2⇙) = α1' ↿ V⇘𝒱⇙"
by simp
hence "α1' ↿ (E⇘ES1⇙ ∩ (V⇘𝒱1⇙ ∪ V⇘𝒱2⇙)) = α1' ↿ V⇘𝒱⇙"
by (simp only: projection_def, auto)
hence "α1' ↿ (E⇘ES1⇙ ∩ V⇘𝒱1⇙ ∪ E⇘ES1⇙ ∩ V⇘𝒱2⇙) = α1' ↿ V⇘𝒱⇙"
by (simp add: Int_Un_distrib)
moreover
from validV1 have "E⇘ES1⇙ ∩ V⇘𝒱1⇙ = V⇘𝒱1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately have "α1' ↿ (V⇘𝒱1⇙ ∪ E⇘ES1⇙ ∩ V⇘𝒱2⇙) = α1' ↿ V⇘𝒱⇙"
by simp
moreover
have "E⇘ES1⇙ ∩ V⇘𝒱2⇙ ⊆ V⇘𝒱1⇙"
proof -
from propSepViews Vv_is_Vv1_union_Vv2 have "(V⇘𝒱1⇙ ∪ V⇘𝒱2⇙) ∩ E⇘ES1⇙ = V⇘𝒱1⇙"
unfolding properSeparationOfViews_def by simp
hence "(V⇘𝒱1⇙ ∩ E⇘ES1⇙ ∪ V⇘𝒱2⇙ ∩ E⇘ES1⇙) = V⇘𝒱1⇙"
by auto
with validV1 have "(V⇘𝒱1⇙ ∪ V⇘𝒱2⇙ ∩ E⇘ES1⇙) = V⇘𝒱1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by auto
qed
ultimately show ?thesis
by (simp add: Un_absorb2)
qed
moreover note α1'_2
ultimately show ?thesis
by auto
qed
moreover
from CSES2.BSD_in_subsystem[OF c_in_Cv βcα_E2_in_Tr2 BSD_Tr2_v2]
obtain α2'
where α2'_1: "((β ↿ E⇘ES2⇙) @ α2') ∈ Tr⇘ES2⇙"
and α2'_2: "(α2' ↿ V⇘𝒱2⇙) = (α ↿ V⇘𝒱2⇙)"
and "α2' ↿ C⇘𝒱2⇙ = []"
by auto
moreover
from α2'_1 validES2 have α2'_in_E2: "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from α2'_2 propSepViews have "((α ↿ V⇘𝒱⇙) ↿ E⇘ES2⇙) = (α2' ↿ V⇘𝒱⇙)"
proof -
have "((α ↿ V⇘𝒱⇙) ↿ E⇘ES2⇙) = α ↿ (V⇘𝒱⇙ ∩ E⇘ES2⇙)"
by (simp only: projection_def, auto)
with propSepViews have "((α ↿ V⇘𝒱⇙) ↿ E⇘ES2⇙) = (α ↿ V⇘𝒱2⇙)"
unfolding properSeparationOfViews_def by auto
moreover
from α2'_2 have "(α2' ↿ V⇘𝒱2⇙) = (α2' ↿ V⇘𝒱⇙)"
proof -
from α2'_in_E2 have "α2' ↿ E⇘ES2⇙ = α2'"
by (simp add: list_subset_iff_projection_neutral)
hence "(α2' ↿ E⇘ES2⇙) ↿ V⇘𝒱⇙ = α2' ↿ V⇘𝒱⇙"
by simp
with Vv_is_Vv1_union_Vv2 have "(α2' ↿ E⇘ES2⇙) ↿ (V⇘𝒱2⇙ ∪ V⇘𝒱1⇙) = α2' ↿ V⇘𝒱⇙"
by (simp add: Un_commute)
hence "α2' ↿ (E⇘ES2⇙ ∩ (V⇘𝒱2⇙ ∪ V⇘𝒱1⇙)) = α2' ↿ V⇘𝒱⇙"
by (simp only: projection_def, auto)
hence "α2' ↿ (E⇘ES2⇙ ∩ V⇘𝒱2⇙ ∪ E⇘ES2⇙ ∩ V⇘𝒱1⇙) = α2' ↿ V⇘𝒱⇙"
by (simp add: Int_Un_distrib)
moreover
from validV2 have "E⇘ES2⇙ ∩ V⇘𝒱2⇙ = V⇘𝒱2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately have "α2' ↿ (V⇘𝒱2⇙ ∪ E⇘ES2⇙ ∩ V⇘𝒱1⇙) = α2' ↿ V⇘𝒱⇙"
by simp
moreover
have "E⇘ES2⇙ ∩ V⇘𝒱1⇙ ⊆ V⇘𝒱2⇙"
proof -
from propSepViews Vv_is_Vv1_union_Vv2 have "(V⇘𝒱2⇙ ∪ V⇘𝒱1⇙) ∩ E⇘ES2⇙ = V⇘𝒱2⇙"
unfolding properSeparationOfViews_def by (simp add: Un_commute)
hence "(V⇘𝒱2⇙ ∩ E⇘ES2⇙ ∪ V⇘𝒱1⇙ ∩ E⇘ES2⇙) = V⇘𝒱2⇙"
by auto
with validV2 have "(V⇘𝒱2⇙ ∪ V⇘𝒱1⇙ ∩ E⇘ES2⇙) = V⇘𝒱2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by auto
qed
ultimately show ?thesis
by (simp add: Un_absorb2)
qed
moreover note α2'_2
ultimately show ?thesis
by auto
qed
moreover note generalized_zipping_lemma
ultimately have "∃α'. ((β @ α') ∈ (Tr⇘(ES1 ∥ ES2)⇙) ∧ (α' ↿ V⇘𝒱⇙ = (α ↿ V⇘𝒱⇙)) ∧ α' ↿ C⇘𝒱⇙ = [])"
by blast
}
thus ?thesis
unfolding BSD_def
by auto
qed
theorem compositionality_BSI:
"⟦ BSD 𝒱1 Tr⇘ES1⇙; BSD 𝒱2 Tr⇘ES2⇙; BSI 𝒱1 Tr⇘ES1⇙; BSI 𝒱2 Tr⇘ES2⇙ ⟧
⟹ BSI 𝒱 Tr⇘(ES1 ∥ ES2)⇙"
proof -
assume BSD1: "BSD 𝒱1 Tr⇘ES1⇙"
and BSD2: "BSD 𝒱2 Tr⇘ES2⇙"
and BSI1: "BSI 𝒱1 Tr⇘ES1⇙"
and BSI2: "BSI 𝒱2 Tr⇘ES2⇙"
{
fix α β c
assume c_in_Cv: "c ∈ C⇘𝒱⇙"
assume βα_in_Tr: "(β @ α) ∈ Tr⇘(ES1 ∥ ES2)⇙"
assume α_no_Cv: "α ↿ C⇘𝒱⇙ = []"
from βα_in_Tr
have βα_E1_in_Tr1: "((β @ α) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
and βα_E2_in_Tr2: "((β @ α) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: composeES_def)+
interpret CSES1: CompositionSupport "ES1" "𝒱" "𝒱1"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES1 validV1)
interpret CSES2: CompositionSupport "ES2" "𝒱" "𝒱2"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES2 validV2)
from CSES1.BSD_in_subsystem2[OF βα_E1_in_Tr1 BSD1] obtain α1'
where βE1α1'_in_Tr1: "β ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
and α1'Vv1_is_αVv1: "α1' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
and α1'Cv1_empty: "α1' ↿ C⇘𝒱1⇙ = []"
by auto
from CSES2.BSD_in_subsystem2[OF βα_E2_in_Tr2 BSD2] obtain α2'
where βE2α2'_in_Tr2: "β ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
and α2'Vv2_is_αVv2: "α2' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
and α2'Cv2_empty: "α2' ↿ C⇘𝒱2⇙ = []"
by auto
have "∃ α1''. (set α1'' ⊆ E⇘ES1⇙ ∧ ((β @ [c]) ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = [])"
proof cases
assume cE1_empty: "[c] ↿ E⇘ES1⇙ = []"
from βE1α1'_in_Tr1 validES1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from cE1_empty βE1α1'_in_Tr1 have "((β @ [c]) ↿ E⇘ES1⇙) @ α1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
note α1'Vv1_is_αVv1 α1'Cv1_empty
ultimately show ?thesis
by auto
next
assume cE1_not_empty: "[c] ↿ E⇘ES1⇙ ≠ []"
hence c_in_E1: "c ∈ E⇘ES1⇙"
by (simp only: projection_def, auto, split if_split_asm, auto)
from c_in_Cv c_in_E1 propSepViews have "c ∈ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def by auto
moreover
note βE1α1'_in_Tr1 α1'Cv1_empty BSI1
ultimately obtain α1''
where βE1cα1''_in_Tr1: "(β ↿ E⇘ES1⇙) @ [c] @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_α1'Vv1: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSI_def
by blast
from validES1 βE1cα1''_in_Tr1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from βE1cα1''_in_Tr1 c_in_E1 have "((β @ [c]) ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
from α1''Vv1_is_α1'Vv1 α1'Vv1_is_αVv1 have "α1'' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
by auto
moreover
note α1''Cv1_empty
ultimately show ?thesis
by auto
qed
then obtain α1''
where α1''_in_E1star: "set α1'' ⊆ E⇘ES1⇙"
and βcE1α1''_in_Tr1: "((β @ [c]) ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_αVv1: "α1'' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
by auto
have "∃ α2''. (set α2'' ⊆ E⇘ES2⇙
∧ ((β @ [c]) ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙
∧ α2'' ↿ C⇘𝒱2⇙ = [])"
proof cases
assume cE2_empty: "[c] ↿ E⇘ES2⇙ = []"
from βE2α2'_in_Tr2 validES2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from cE2_empty βE2α2'_in_Tr2 have "((β @ [c]) ↿ E⇘ES2⇙) @ α2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
note α2'Vv2_is_αVv2 α2'Cv2_empty
ultimately show ?thesis
by auto
next
assume cE2_not_empty: "[c] ↿ E⇘ES2⇙ ≠ []"
hence c_in_E2: "c ∈ E⇘ES2⇙"
by (simp only: projection_def, auto, split if_split_asm, auto)
from c_in_Cv c_in_E2 propSepViews have "c ∈ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
moreover
note βE2α2'_in_Tr2 α2'Cv2_empty BSI2
ultimately obtain α2''
where βE2cα2''_in_Tr2: "(β ↿ E⇘ES2⇙) @ [c] @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_α2'Vv2: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSI_def
by blast
from validES2 βE2cα2''_in_Tr2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from βE2cα2''_in_Tr2 c_in_E2 have "((β @ [c]) ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
from α2''Vv2_is_α2'Vv2 α2'Vv2_is_αVv2 have "α2'' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
by auto
moreover
note α2''Cv2_empty
ultimately show ?thesis
by auto
qed
then obtain α2''
where α2''_in_E2star: "set α2'' ⊆ E⇘ES2⇙"
and βcE2α2''_in_Tr2: "((β @ [c]) ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_αVv2: "α2'' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
by auto
from VIsViewOnE c_in_Cv βα_in_Tr have "set (β @ [c]) ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def composeES_def, auto)
moreover
have "set (α ↿ V⇘𝒱⇙) ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
note α1''_in_E1star α2''_in_E2star βcE1α1''_in_Tr1 βcE2α2''_in_Tr2
moreover
have "(α ↿ V⇘𝒱⇙) ↿ E⇘ES1⇙ = α1'' ↿ V⇘𝒱⇙"
proof -
from α1''Vv1_is_αVv1 propSepViews have "α ↿ (V⇘𝒱⇙ ∩ E⇘ES1⇙) = α1'' ↿ (E⇘ES1⇙ ∩ V⇘𝒱⇙)"
unfolding properSeparationOfViews_def by (simp add: Int_commute)
hence "α ↿ V⇘𝒱⇙ ↿ E⇘ES1⇙ = α1'' ↿ E⇘ES1⇙ ↿ V⇘𝒱⇙"
by (simp add: projection_def)
with α1''_in_E1star show ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "(α ↿ V⇘𝒱⇙) ↿ E⇘ES2⇙ = α2'' ↿ V⇘𝒱⇙"
proof -
from α2''Vv2_is_αVv2 propSepViews have "α ↿ (V⇘𝒱⇙ ∩ E⇘ES2⇙) = α2'' ↿ (E⇘ES2⇙ ∩ V⇘𝒱⇙)"
unfolding properSeparationOfViews_def by (simp add: Int_commute)
hence "α ↿ V⇘𝒱⇙ ↿ E⇘ES2⇙ = α2'' ↿ E⇘ES2⇙ ↿ V⇘𝒱⇙"
by (simp add: projection_def)
with α2''_in_E2star show ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
note α1''Cv1_empty α2''Cv2_empty generalized_zipping_lemma
ultimately have "∃α'. (β @ [c]) @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
by blast
}
thus ?thesis
unfolding BSI_def
by auto
qed
theorem compositionality_BSIA:
"⟦ BSD 𝒱1 Tr⇘ES1⇙; BSD 𝒱2 Tr⇘ES2⇙; BSIA ρ1 𝒱1 Tr⇘ES1⇙; BSIA ρ2 𝒱2 Tr⇘ES2⇙;
(ρ1 𝒱1) ⊆ (ρ 𝒱) ∩ E⇘ES1⇙; (ρ2 𝒱2) ⊆ (ρ 𝒱) ∩ E⇘ES2⇙ ⟧
⟹ BSIA ρ 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume BSD1: "BSD 𝒱1 Tr⇘ES1⇙"
and BSD2: "BSD 𝒱2 Tr⇘ES2⇙"
and BSIA1: "BSIA ρ1 𝒱1 Tr⇘ES1⇙"
and BSIA2: "BSIA ρ2 𝒱2 Tr⇘ES2⇙"
and ρ1v1_subset_ρv_inter_E1: "(ρ1 𝒱1) ⊆ (ρ 𝒱) ∩ E⇘ES1⇙"
and ρ2v2_subset_ρv_inter_E2:"(ρ2 𝒱2) ⊆ (ρ 𝒱) ∩ E⇘ES2⇙"
{
fix α β c
assume c_in_Cv: "c ∈ C⇘𝒱⇙"
assume βα_in_Tr: "(β @ α) ∈ Tr⇘(ES1 ∥ ES2)⇙"
assume α_no_Cv: "α ↿ C⇘𝒱⇙ = []"
assume Adm: "(Adm 𝒱 ρ Tr⇘(ES1 ∥ ES2)⇙ β c)"
then obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from βα_in_Tr
have βα_E1_in_Tr1: "((β @ α) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
and βα_E2_in_Tr2: "((β @ α) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: composeES_def)+
interpret CSES1: CompositionSupport "ES1" "𝒱" "𝒱1"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES1 validV1)
interpret CSES2: CompositionSupport "ES2" "𝒱" "𝒱2"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES2 validV2)
from CSES1.BSD_in_subsystem2[OF βα_E1_in_Tr1 BSD1] obtain α1'
where βE1α1'_in_Tr1: "β ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
and α1'Vv1_is_αVv1: "α1' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
and α1'Cv1_empty: "α1' ↿ C⇘𝒱1⇙ = []"
by auto
from CSES2.BSD_in_subsystem2[OF βα_E2_in_Tr2 BSD2] obtain α2'
where βE2α2'_in_Tr2: "β ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
and α2'Vv2_is_αVv2: "α2' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
and α2'Cv2_empty: "α2' ↿ C⇘𝒱2⇙ = []"
by auto
have "∃ α1''. (set α1'' ⊆ E⇘ES1⇙
∧ ((β @ [c]) ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙
∧ α1'' ↿ C⇘𝒱1⇙ = [])"
proof cases
assume cE1_empty: "[c] ↿ E⇘ES1⇙ = []"
from βE1α1'_in_Tr1 validES1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from cE1_empty βE1α1'_in_Tr1 have "((β @ [c]) ↿ E⇘ES1⇙) @ α1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
note α1'Vv1_is_αVv1 α1'Cv1_empty
ultimately show ?thesis
by auto
next
assume cE1_not_empty: "[c] ↿ E⇘ES1⇙ ≠ []"
hence c_in_E1: "c ∈ E⇘ES1⇙"
by (simp only: projection_def, auto, split if_split_asm, auto)
from c_in_Cv c_in_E1 propSepViews have "c ∈ C⇘𝒱1⇙"
unfolding properSeparationOfViews_def by auto
moreover
note βE1α1'_in_Tr1 α1'Cv1_empty
moreover
have "(Adm 𝒱1 ρ1 Tr⇘ES1⇙ (β ↿ E⇘ES1⇙) c)"
proof -
from c_in_E1 γc_in_Tr have "(γ ↿ E⇘ES1⇙) @ [c] ∈ Tr⇘ES1⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1) = β ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES1⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES1⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ1v1_subset_ρv_inter_E1 have "γ ↿ (ρ1 𝒱1) = β ↿ (ρ1 𝒱1)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note BSIA1
ultimately obtain α1''
where βE1cα1''_in_Tr1: "(β ↿ E⇘ES1⇙) @ [c] @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_α1'Vv1: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSIA_def
by blast
from validES1 βE1cα1''_in_Tr1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from βE1cα1''_in_Tr1 c_in_E1 have "((β @ [c]) ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
from α1''Vv1_is_α1'Vv1 α1'Vv1_is_αVv1 have "α1'' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
by auto
moreover
note α1''Cv1_empty
ultimately show ?thesis
by auto
qed
then obtain α1''
where α1''_in_E1star: "set α1'' ⊆ E⇘ES1⇙"
and βcE1α1''_in_Tr1: "((β @ [c]) ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_αVv1: "α1'' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
by auto
have "∃ α2''. (set α2'' ⊆ E⇘ES2⇙
∧ ((β @ [c]) ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙
∧ α2'' ↿ C⇘𝒱2⇙ = [])"
proof cases
assume cE2_empty: "[c] ↿ E⇘ES2⇙ = []"
from βE2α2'_in_Tr2 validES2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from cE2_empty βE2α2'_in_Tr2 have "((β @ [c]) ↿ E⇘ES2⇙) @ α2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
note α2'Vv2_is_αVv2 α2'Cv2_empty
ultimately show ?thesis
by auto
next
assume cE2_not_empty: "[c] ↿ E⇘ES2⇙ ≠ []"
hence c_in_E2: "c ∈ E⇘ES2⇙"
by (simp only: projection_def, auto, split if_split_asm, auto)
from c_in_Cv c_in_E2 propSepViews have "c ∈ C⇘𝒱2⇙"
unfolding properSeparationOfViews_def by auto
moreover
note βE2α2'_in_Tr2 α2'Cv2_empty
moreover
have "(Adm 𝒱2 ρ2 Tr⇘ES2⇙ (β ↿ E⇘ES2⇙) c)"
proof -
from c_in_E2 γc_in_Tr have "(γ ↿ E⇘ES2⇙) @ [c] ∈ Tr⇘ES2⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2) = β ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES2⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES2⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ2v2_subset_ρv_inter_E2 have "γ ↿ (ρ2 𝒱2) = β ↿ (ρ2 𝒱2)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note BSIA2
ultimately obtain α2''
where βE2cα2''_in_Tr2: "(β ↿ E⇘ES2⇙) @ [c] @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_α2'Vv2: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSIA_def
by blast
from validES2 βE2cα2''_in_Tr2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from βE2cα2''_in_Tr2 c_in_E2 have "((β @ [c]) ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
from α2''Vv2_is_α2'Vv2 α2'Vv2_is_αVv2 have "α2'' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
by auto
moreover
note α2''Cv2_empty
ultimately show ?thesis
by auto
qed
then obtain α2''
where α2''_in_E2star: "set α2'' ⊆ E⇘ES2⇙"
and βcE2α2''_in_Tr2: "((β @ [c]) ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_αVv2: "α2'' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
by auto
from VIsViewOnE c_in_Cv βα_in_Tr have "set (β @ [c]) ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def composeES_def, auto)
moreover
have "set (α ↿ V⇘𝒱⇙) ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
note α1''_in_E1star α2''_in_E2star βcE1α1''_in_Tr1 βcE2α2''_in_Tr2
moreover
have "(α ↿ V⇘𝒱⇙) ↿ E⇘ES1⇙ = α1'' ↿ V⇘𝒱⇙"
proof -
from α1''Vv1_is_αVv1 propSepViews
have "α ↿ (V⇘𝒱⇙ ∩ E⇘ES1⇙) = α1'' ↿ (E⇘ES1⇙ ∩ V⇘𝒱⇙)"
unfolding properSeparationOfViews_def by (simp add: Int_commute)
hence "α ↿ V⇘𝒱⇙ ↿ E⇘ES1⇙ = α1'' ↿ E⇘ES1⇙ ↿ V⇘𝒱⇙"
by (simp add: projection_def)
with α1''_in_E1star show ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "(α ↿ V⇘𝒱⇙) ↿ E⇘ES2⇙ = α2'' ↿ V⇘𝒱⇙"
proof -
from α2''Vv2_is_αVv2 propSepViews
have "α ↿ (V⇘𝒱⇙ ∩ E⇘ES2⇙) = α2'' ↿ (E⇘ES2⇙ ∩ V⇘𝒱⇙)"
unfolding properSeparationOfViews_def by (simp add: Int_commute)
hence "α ↿ V⇘𝒱⇙ ↿ E⇘ES2⇙ = α2'' ↿ E⇘ES2⇙ ↿ V⇘𝒱⇙"
by (simp add: projection_def)
with α2''_in_E2star show ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
note α1''Cv1_empty α2''Cv2_empty generalized_zipping_lemma
ultimately have "∃α'. (β @ [c]) @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = []"
by blast
}
thus ?thesis
unfolding BSIA_def
by auto
qed
theorem compositionality_FCD:
"⟦ BSD 𝒱1 Tr⇘ES1⇙; BSD 𝒱2 Tr⇘ES2⇙;
∇⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ ∇⇘Γ1⇙; ∇⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ ∇⇘Γ2⇙;
Υ⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙; Υ⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙;
( Δ⇘Γ1⇙ ∩ N⇘𝒱1⇙ ∪ Δ⇘Γ2⇙ ∩ N⇘𝒱2⇙ ) ⊆ Δ⇘Γ⇙;
N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {}; N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {};
FCD Γ1 𝒱1 Tr⇘ES1⇙; FCD Γ2 𝒱2 Tr⇘ES2⇙ ⟧
⟹ FCD Γ 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume BSD1: "BSD 𝒱1 Tr⇘ES1⇙"
and BSD2: "BSD 𝒱2 Tr⇘ES2⇙"
and Nabla_inter_E1_subset_Nabla1: "∇⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ ∇⇘Γ1⇙"
and Nabla_inter_E2_subset_Nabla2: "∇⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ ∇⇘Γ2⇙"
and Upsilon_inter_E1_subset_Upsilon1: "Υ⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙"
and Upsilon_inter_E2_subset_Upsilon2: "Υ⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙"
and Delta1_N1_Delta2_N2_subset_Delta: "( Δ⇘Γ1⇙ ∩ N⇘𝒱1⇙ ∪ Δ⇘Γ2⇙ ∩ N⇘𝒱2⇙ ) ⊆ Δ⇘Γ⇙"
and N1_Delta1_E2_disjoint: "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {}"
and N2_Delta2_E1_disjoint: "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {}"
and FCD1: "FCD Γ1 𝒱1 Tr⇘ES1⇙"
and FCD2: "FCD Γ2 𝒱2 Tr⇘ES2⇙"
{
fix α β c v'
assume c_in_Cv_inter_Upsilon: "c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙)"
and v'_in_Vv_inter_Nabla: "v' ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙)"
and βcv'α_in_Tr: "(β @ [c,v'] @ α) ∈ Tr⇘(ES1 ∥ ES2)⇙"
and αCv_empty: "α ↿ C⇘𝒱⇙ = []"
from βcv'α_in_Tr
have βcv'α_E1_in_Tr1: "(((β @ [c,v']) @ α) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
and βcv'α_E2_in_Tr2: "(((β @ [c,v']) @ α) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: composeES_def)+
interpret CSES1: CompositionSupport "ES1" "𝒱" "𝒱1"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES1 validV1)
interpret CSES2: CompositionSupport "ES2" "𝒱" "𝒱2"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES2 validV2)
from CSES1.BSD_in_subsystem2[OF βcv'α_E1_in_Tr1 BSD1] obtain α1'
where βcv'E1α1'_in_Tr1: "(β @ [c,v']) ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
and α1'Vv1_is_αVv1: "α1' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
and α1'Cv1_empty: "α1' ↿ C⇘𝒱1⇙ = []"
by auto
from CSES2.BSD_in_subsystem2[OF βcv'α_E2_in_Tr2 BSD2] obtain α2'
where βcv'E2α2'_in_Tr2: "(β @ [c,v']) ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
and α2'Vv2_is_αVv2: "α2' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
and α2'Cv2_empty: "α2' ↿ C⇘𝒱2⇙ = []"
by auto
from c_in_Cv_inter_Upsilon v'_in_Vv_inter_Nabla validV1
have "c ∉ E⇘ES1⇙ ∨ (c ∈ E⇘ES1⇙ ∧ v' ∉ E⇘ES1⇙) ∨ (c ∈ E⇘ES1⇙ ∧ v' ∈ E⇘ES1⇙)"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def)
moreover {
assume c_notin_E1: "c ∉ E⇘ES1⇙"
have "set [] ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by auto
moreover
from βcv'E1α1'_in_Tr1 c_notin_E1 have "(β ↿ E⇘ES1⇙) @ [] @ ([v'] ↿ E⇘ES1⇙) @ α1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
have "α1' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙" ..
moreover
note α1'Cv1_empty
ultimately have "∃ α1'' δ1''. set δ1'' ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)
∧ (β ↿ E⇘ES1⇙) @ δ1'' @ ([v'] ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []"
by blast
}
moreover {
assume c_in_E1: "c ∈ E⇘ES1⇙"
and v'_notin_E1: "v' ∉ E⇘ES1⇙"
from c_in_E1 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E1_subset_Upsilon1
have c_in_Cv1_Upsilon1: "c ∈ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
unfolding properSeparationOfViews_def by auto
hence c_in_Cv1: "c ∈ C⇘𝒱1⇙"
by auto
moreover
from βcv'E1α1'_in_Tr1 c_in_E1 v'_notin_E1 have "(β ↿ E⇘ES1⇙) @ [c] @ α1' ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
note α1'Cv1_empty BSD1
ultimately obtain α1''
where first: "(β ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
and second: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and third: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSD_def
by blast
have "set [] ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by auto
moreover
from first v'_notin_E1 have "(β ↿ E⇘ES1⇙) @ [] @ ([v'] ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note second third
ultimately
have "∃ α1'' δ1''. set δ1'' ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)
∧ (β ↿ E⇘ES1⇙) @ δ1'' @ ([v'] ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []"
by blast
}
moreover {
assume c_in_E1: "c ∈ E⇘ES1⇙"
and v'_in_E1: "v' ∈ E⇘ES1⇙"
from c_in_E1 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E1_subset_Upsilon1
have c_in_Cv1_Upsilon1: "c ∈ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E1 v'_in_Vv_inter_Nabla propSepViews Nabla_inter_E1_subset_Nabla1
have v'_in_Vv1_inter_Nabla1: "v' ∈ (V⇘𝒱1⇙ ∩ ∇⇘Γ1⇙)"
unfolding properSeparationOfViews_def by auto
moreover
from βcv'E1α1'_in_Tr1 c_in_E1 v'_in_E1 have "(β ↿ E⇘ES1⇙) @ [c,v'] @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note α1'Cv1_empty FCD1
ultimately obtain α1'' δ1''
where first: "set δ1'' ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
and second: "(β ↿ E⇘ES1⇙) @ δ1'' @ [v'] @ α1'' ∈ Tr⇘ES1⇙"
and third: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and fourth: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCD_def
by blast
from second v'_in_E1 have "(β ↿ E⇘ES1⇙) @ δ1'' @ ([v'] ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
with first third fourth
have "∃ α1'' δ1''. set δ1'' ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)
∧ (β ↿ E⇘ES1⇙) @ δ1'' @ ([v'] ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCD_def
by blast
}
ultimately obtain α1'' δ1''
where δ1''_in_Nv1_Delta1_star: "set δ1'' ⊆ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
and βE1δ1''vE1α1''_in_Tr1: "(β ↿ E⇘ES1⇙) @ δ1'' @ ([v'] ↿ E⇘ES1⇙) @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_α1'Vv1: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
by blast
with validV1 have δ1''_in_E1_star: "set δ1'' ⊆ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
from c_in_Cv_inter_Upsilon v'_in_Vv_inter_Nabla validV2
have "c ∉ E⇘ES2⇙ ∨ (c ∈ E⇘ES2⇙ ∧ v' ∉ E⇘ES2⇙) ∨ (c ∈ E⇘ES2⇙ ∧ v' ∈ E⇘ES2⇙)"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def)
moreover {
assume c_notin_E2: "c ∉ E⇘ES2⇙"
have "set [] ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by auto
moreover
from βcv'E2α2'_in_Tr2 c_notin_E2 have "(β ↿ E⇘ES2⇙) @ [] @ ([v'] ↿ E⇘ES2⇙) @ α2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
have "α2' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙" ..
moreover
note α2'Cv2_empty
ultimately have "∃ α2'' δ2''. set δ2'' ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)
∧ (β ↿ E⇘ES2⇙) @ δ2'' @ ([v'] ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []"
by blast
}
moreover {
assume c_in_E2: "c ∈ E⇘ES2⇙"
and v'_notin_E2: "v' ∉ E⇘ES2⇙"
from c_in_E2 c_in_Cv_inter_Upsilon propSepViews Upsilon_inter_E2_subset_Upsilon2
have c_in_Cv2_Upsilon2: "c ∈ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
unfolding properSeparationOfViews_def by auto
hence c_in_Cv2: "c ∈ C⇘𝒱2⇙"
by auto
moreover
from βcv'E2α2'_in_Tr2 c_in_E2 v'_notin_E2 have "(β ↿ E⇘ES2⇙) @ [c] @ α2' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute projection_def, auto)
moreover
note α2'Cv2_empty BSD2
ultimately obtain α2''
where first: "(β ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
and second: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and third: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSD_def
by blast
have "set [] ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by auto
moreover
from first v'_notin_E2 have "(β ↿ E⇘ES2⇙) @ [] @ ([v'] ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note second third
ultimately
have "∃ α2'' δ2''. set δ2'' ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)
∧ (β ↿ E⇘ES2⇙) @ δ2'' @ ([v'] ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []"
by blast
}
moreover {
assume c_in_E2: "c ∈ E⇘ES2⇙"
and v'_in_E2: "v' ∈ E⇘ES2⇙"
from c_in_E2 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E2_subset_Upsilon2
have c_in_Cv2_Upsilon2: "c ∈ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E2 v'_in_Vv_inter_Nabla propSepViews Nabla_inter_E2_subset_Nabla2
have v'_in_Vv2_inter_Nabla2: "v' ∈ (V⇘𝒱2⇙ ∩ ∇⇘Γ2⇙)"
unfolding properSeparationOfViews_def by auto
moreover
from βcv'E2α2'_in_Tr2 c_in_E2 v'_in_E2 have "(β ↿ E⇘ES2⇙) @ [c,v'] @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note α2'Cv2_empty FCD2
ultimately obtain α2'' δ2''
where first: "set δ2'' ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
and second: "(β ↿ E⇘ES2⇙) @ δ2'' @ [v'] @ α2'' ∈ Tr⇘ES2⇙"
and third: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and fourth: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCD_def
by blast
from second v'_in_E2 have "(β ↿ E⇘ES2⇙) @ δ2'' @ ([v'] ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
with first third fourth
have "∃ α2'' δ2''. set δ2'' ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)
∧ (β ↿ E⇘ES2⇙) @ δ2'' @ ([v'] ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCD_def
by blast
}
ultimately obtain α2'' δ2''
where δ2''_in_Nv2_Delta2_star: "set δ2'' ⊆ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
and βE2δ2''vE2α2''_in_Tr2: "(β ↿ E⇘ES2⇙) @ δ2'' @ ([v'] ↿ E⇘ES2⇙) @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_α2'Vv2: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
by blast
with validV2 have δ2''_in_E2_star: "set δ2'' ⊆ E⇘ES2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
from δ1''_in_Nv1_Delta1_star N1_Delta1_E2_disjoint
have δ1''E2_empty: "δ1'' ↿ E⇘ES2⇙ = []"
proof -
from δ1''_in_Nv1_Delta1_star have "δ1'' = δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by (simp only: list_subset_iff_projection_neutral)
hence "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ E⇘ES2⇙"
by simp
moreover
have "δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ E⇘ES2⇙ = δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙)"
by (simp only: projection_def, auto)
with N1_Delta1_E2_disjoint have "δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ E⇘ES2⇙ = []"
by (simp add: projection_def)
ultimately show ?thesis
by simp
qed
moreover
from δ2''_in_Nv2_Delta2_star N2_Delta2_E1_disjoint have δ2''E1_empty: "δ2'' ↿ E⇘ES1⇙ = []"
proof -
from δ2''_in_Nv2_Delta2_star have "δ2'' = δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by (simp only: list_subset_iff_projection_neutral)
hence "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ E⇘ES1⇙"
by simp
moreover
have "δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ E⇘ES1⇙ = δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙)"
by (simp only: projection_def, auto)
with N2_Delta2_E1_disjoint have "δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ E⇘ES1⇙ = []"
by (simp add: projection_def)
ultimately show ?thesis
by simp
qed
moreover
note βE1δ1''vE1α1''_in_Tr1 βE2δ2''vE2α2''_in_Tr2 δ1''_in_E1_star δ2''_in_E2_star
ultimately have βδ1''δ2''v'E1α1''_in_Tr1: "(β @ δ1'' @ δ2'' @ [v']) ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
and βδ1''δ2''v'E2α2''_in_Tr2: "(β @ δ1'' @ δ2'' @ [v']) ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute list_subset_iff_projection_neutral, auto,
simp only: projection_concatenation_commute list_subset_iff_projection_neutral, auto)
have "set (β @ δ1'' @ δ2'' @ [v']) ⊆ E⇘(ES1 ∥ ES2)⇙"
proof -
from βcv'α_in_Tr have "set β ⊆ E⇘(ES1 ∥ ES2)⇙"
by (simp add: composeES_def)
moreover
note δ1''_in_E1_star δ2''_in_E2_star
moreover
from v'_in_Vv_inter_Nabla VIsViewOnE
have "v' ∈ E⇘(ES1 ∥ ES2)⇙"
by (simp add:isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately show ?thesis
by (simp add: composeES_def, auto)
qed
moreover
have "set (α ↿ V⇘𝒱⇙) ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
from βE1δ1''vE1α1''_in_Tr1 validES1 have α1''_in_E1_star: "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from βE2δ2''vE2α2''_in_Tr2 validES2 have α2''_in_E2_star: "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
note βδ1''δ2''v'E1α1''_in_Tr1 βδ1''δ2''v'E2α2''_in_Tr2
moreover
have "(α ↿ V⇘𝒱⇙) ↿ E⇘ES1⇙ = α1'' ↿ V⇘𝒱⇙"
proof -
from α1''Vv1_is_α1'Vv1 α1'Vv1_is_αVv1 propSepViews
have "α ↿ (V⇘𝒱⇙ ∩ E⇘ES1⇙) = α1'' ↿ (E⇘ES1⇙ ∩ V⇘𝒱⇙)"
unfolding properSeparationOfViews_def by (simp add: Int_commute)
hence "α ↿ V⇘𝒱⇙ ↿ E⇘ES1⇙ = α1'' ↿ E⇘ES1⇙ ↿ V⇘𝒱⇙"
by (simp add: projection_def)
with α1''_in_E1_star show ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
have "(α ↿ V⇘𝒱⇙) ↿ E⇘ES2⇙ = α2'' ↿ V⇘𝒱⇙"
proof -
from α2''Vv2_is_α2'Vv2 α2'Vv2_is_αVv2 propSepViews
have "α ↿ (V⇘𝒱⇙ ∩ E⇘ES2⇙) = α2'' ↿ (E⇘ES2⇙ ∩ V⇘𝒱⇙)"
unfolding properSeparationOfViews_def by (simp add: Int_commute)
hence "α ↿ V⇘𝒱⇙ ↿ E⇘ES2⇙ = α2'' ↿ E⇘ES2⇙ ↿ V⇘𝒱⇙"
by (simp add: projection_def)
with α2''_in_E2_star show ?thesis
by (simp add: list_subset_iff_projection_neutral)
qed
moreover
note α1''Cv1_empty α2''Cv2_empty generalized_zipping_lemma
ultimately obtain t
where first: "(β @ δ1'' @ δ2'' @ [v']) @ t ∈ Tr⇘(ES1 ∥ ES2)⇙"
and second: "t ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙"
and third: "t ↿ C⇘𝒱⇙ = []"
by blast
from δ1''_in_Nv1_Delta1_star δ2''_in_Nv2_Delta2_star
have "set (δ1'' @ δ2'') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)"
proof -
have "set (δ1'' @ δ2'') ⊆ Δ⇘Γ⇙"
proof -
from δ1''_in_Nv1_Delta1_star δ2''_in_Nv2_Delta2_star
have "set (δ1'' @ δ2'') ⊆ Δ⇘Γ1⇙ ∩ N⇘𝒱1⇙ ∪ Δ⇘Γ2⇙ ∩ N⇘𝒱2⇙"
by auto
with Delta1_N1_Delta2_N2_subset_Delta show ?thesis
by auto
qed
moreover
have "set (δ1'' @ δ2'') ⊆ N⇘𝒱⇙"
proof -
from δ1''_in_Nv1_Delta1_star δ2''_in_Nv2_Delta2_star
have "set (δ1'' @ δ2'') ⊆ (N⇘𝒱1⇙ ∪ N⇘𝒱2⇙)"
by auto
with Nv1_union_Nv2_subsetof_Nv show ?thesis
by auto
qed
ultimately show ?thesis
by auto
qed
moreover
from first have "β @ (δ1'' @ δ2'') @ [v'] @ t ∈ Tr⇘(ES1 ∥ ES2)⇙"
by auto
moreover
note second third
ultimately have "∃α'. ∃γ'. (set γ') ⊆ (N⇘𝒱⇙ ∩ Δ⇘Γ⇙)
∧ ((β @ γ' @ [v'] @ α') ∈ Tr⇘(ES1 ∥ ES2)⇙
∧ (α' ↿ V⇘𝒱⇙) = (α ↿ V⇘𝒱⇙)
∧ α' ↿ C⇘𝒱⇙ = [])"
by blast
}
thus ?thesis
unfolding FCD_def
by auto
qed
theorem compositionality_FCI:
"⟦ BSD 𝒱1 Tr⇘ES1⇙; BSD 𝒱2 Tr⇘ES2⇙; BSIA ρ1 𝒱1 Tr⇘ES1⇙; BSIA ρ2 𝒱2 Tr⇘ES2⇙;
total ES1 (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙); total ES2 (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙);
∇⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ ∇⇘Γ1⇙; ∇⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ ∇⇘Γ2⇙;
Υ⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙; Υ⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙;
( Δ⇘Γ1⇙ ∩ N⇘𝒱1⇙ ∪ Δ⇘Γ2⇙ ∩ N⇘𝒱2⇙ ) ⊆ Δ⇘Γ⇙;
(N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙)
∨ ( N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {} ∧ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙) ;
FCI Γ1 𝒱1 Tr⇘ES1⇙; FCI Γ2 𝒱2 Tr⇘ES2⇙ ⟧
⟹ FCI Γ 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume BSD1: "BSD 𝒱1 Tr⇘ES1⇙"
and BSD2: "BSD 𝒱2 Tr⇘ES2⇙"
and BSIA1: "BSIA ρ1 𝒱1 Tr⇘ES1⇙"
and BSIA2: "BSIA ρ2 𝒱2 Tr⇘ES2⇙"
and total_ES1_C1_inter_Upsilon1: "total ES1 (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙)"
and total_ES2_C2_inter_Upsilon2: "total ES2 (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙)"
and Nabla_inter_E1_subset_Nabla1: "∇⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ ∇⇘Γ1⇙"
and Nabla_inter_E2_subset_Nabla2: "∇⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ ∇⇘Γ2⇙"
and Upsilon_inter_E1_subset_Upsilon1: "Υ⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙"
and Upsilon_inter_E2_subset_Upsilon2: "Υ⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙"
and Delta1_N1_Delta2_N2_subset_Delta: "( Δ⇘Γ1⇙ ∩ N⇘𝒱1⇙ ∪ Δ⇘Γ2⇙ ∩ N⇘𝒱2⇙ ) ⊆ Δ⇘Γ⇙"
and very_long_asm: "(N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙)
∨ ( N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {} ∧ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙)"
and FCI1: "FCI Γ1 𝒱1 Tr⇘ES1⇙"
and FCI2: "FCI Γ2 𝒱2 Tr⇘ES2⇙"
{
fix α β c v'
assume c_in_Cv_inter_Upsilon: "c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙)"
and v'_in_Vv_inter_Nabla: "v' ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙)"
and βv'α_in_Tr: "(β @ [v'] @ α) ∈ Tr⇘(ES1 ∥ ES2)⇙"
and αCv_empty: "α ↿ C⇘𝒱⇙ = []"
from βv'α_in_Tr
have βv'α_E1_in_Tr1: "(((β @ [v']) @ α) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
and βv'α_E2_in_Tr2: "(((β @ [v']) @ α) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: composeES_def)+
interpret CSES1: CompositionSupport "ES1" "𝒱" "𝒱1"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES1 validV1)
interpret CSES2: CompositionSupport "ES2" "𝒱" "𝒱2"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES2 validV2)
from CSES1.BSD_in_subsystem2[OF βv'α_E1_in_Tr1 BSD1] obtain α1'
where βv'E1α1'_in_Tr1: "(β @ [v']) ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
and α1'Vv1_is_αVv1: "α1' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
and α1'Cv1_empty: "α1' ↿ C⇘𝒱1⇙ = []"
by auto
from CSES2.BSD_in_subsystem2[OF βv'α_E2_in_Tr2 BSD2] obtain α2'
where βv'E2α2'_in_Tr2: "(β @ [v']) ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
and α2'Vv2_is_αVv2: "α2' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
and α2'Cv2_empty: "α2' ↿ C⇘𝒱2⇙ = []"
by auto
note very_long_asm
moreover {
assume Nv1_inter_Delta1_inter_E2_empty: "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {}"
and Nv2_inter_Delta2_inter_E1_subsetof_Upsilon1: "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙"
let ?ALPHA2''_DELTA2'' = "∃ α2'' δ2''. (
set α2'' ⊆ E⇘ES2⇙ ∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = [])"
from c_in_Cv_inter_Upsilon v'_in_Vv_inter_Nabla validV2
have "c ∉ E⇘ES2⇙ ∨ (c ∈ E⇘ES2⇙ ∧ v' ∉ E⇘ES2⇙) ∨ (c ∈ E⇘ES2⇙ ∧ v' ∈ E⇘ES2⇙)"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def)
moreover {
assume c_notin_E2: "c ∉ E⇘ES2⇙"
from validES2 βv'E2α2'_in_Tr2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from βv'E2α2'_in_Tr2 c_notin_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
have "α2' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙" ..
moreover
note α2'Cv2_empty
ultimately have ?ALPHA2''_DELTA2''
by blast
}
moreover {
assume c_in_E2: "c ∈ E⇘ES2⇙"
and v'_notin_E2: "v' ∉ E⇘ES2⇙"
from c_in_E2 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E2_subset_Upsilon2
have c_in_Cv2_inter_Upsilon2: "c ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def by auto
hence "c ∈ C⇘𝒱2⇙"
by auto
moreover
from βv'E2α2'_in_Tr2 v'_notin_E2 have "β ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note α2'Cv2_empty
moreover
have "(Adm 𝒱2 ρ2 Tr⇘ES2⇙ (β ↿ E⇘ES2⇙) c)"
proof -
from validES2 βv'E2α2'_in_Tr2 v'_notin_E2 have "β ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def projection_concatenation_commute)
with total_ES2_C2_inter_Upsilon2 c_in_Cv2_inter_Upsilon2
have "β ↿ E⇘ES2⇙ @ [c] ∈ Tr⇘ES2⇙"
by (simp add: total_def)
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA2
ultimately obtain α2''
where one: "β ↿ E⇘ES2⇙ @ [c] @ α2'' ∈ Tr⇘ES2⇙"
and two: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and three: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSIA_def
by blast
from one validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from one c_in_E2 v'_notin_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note two three
ultimately have ?ALPHA2''_DELTA2''
by blast
}
moreover {
assume c_in_E2: "c ∈ E⇘ES2⇙"
and v'_in_E2: "v' ∈ E⇘ES2⇙"
from c_in_E2 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E2_subset_Upsilon2
have c_in_Cv2_inter_Upsilon2: "c ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E2 propSepViews v'_in_Vv_inter_Nabla Nabla_inter_E2_subset_Nabla2
have "v' ∈ V⇘𝒱2⇙ ∩ Nabla Γ2"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E2 βv'E2α2'_in_Tr2 have "β ↿ E⇘ES2⇙ @ [v'] @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note α2'Cv2_empty FCI2
ultimately obtain α2'' δ2''
where one: "set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and two: "β ↿ E⇘ES2⇙ @ [c] @ δ2'' @ [v'] @ α2'' ∈ Tr⇘ES2⇙"
and three: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and four: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCI_def
by blast
from two validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
note one
moreover
from two c_in_E2 v'_in_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note three four
ultimately have ?ALPHA2''_DELTA2''
by blast
}
ultimately obtain α2'' δ2''
where α2''_in_E2star: "set α2'' ⊆ E⇘ES2⇙"
and δ2''_in_N2_inter_Delta2star:"set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and βE2_cE2_δ2''_v'E2_α2''_in_Tr2:
"β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_α2'Vv2: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
by blast
from c_in_Cv_inter_Upsilon Upsilon_inter_E1_subset_Upsilon1
propSepViews
have cE1_in_Cv1_inter_Upsilon1: "set ([c] ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def by (simp add: projection_def, auto)
from δ2''_in_N2_inter_Delta2star Nv2_inter_Delta2_inter_E1_subsetof_Upsilon1
propSepViews disjoint_Nv2_Vv1
have δ2''E1_in_Cv1_inter_Upsilon1star: "set (δ2'' ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
from δ2''_in_N2_inter_Delta2star
have eq: "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙)"
by (metis Int_commute Int_left_commute Int_lower1 Int_lower2
projection_intersection_neutral subset_trans)
from validV1 Nv2_inter_Delta2_inter_E1_subsetof_Upsilon1 propSepViews
disjoint_Nv2_Vv1
have "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def
by (simp add:isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (subst eq, simp only: projection_def, auto)
qed
have cδ2''E1_in_Cv1_inter_Upsilon1star: "set ((c # δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
from cE1_in_Cv1_inter_Upsilon1 δ2''E1_in_Cv1_inter_Upsilon1star
have "set (([c] @ δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by auto
qed
have "∃ α1'' δ1''. set α1'' ⊆ E⇘ES1⇙
∧ set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2
⇙ ∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []
∧ δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
proof cases
assume v'_in_E1: "v' ∈ E⇘ES1⇙"
with Nabla_inter_E1_subset_Nabla1 propSepViews v'_in_Vv_inter_Nabla
have v'_in_Vv1_inter_Nabla1: "v' ∈ V⇘𝒱1⇙ ∩ Nabla Γ1"
unfolding properSeparationOfViews_def by auto
have "⟦ (β @ [v']) ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙ ;
α1' ↿ C⇘𝒱1⇙ = []; set ((c # δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ;
c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ; set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ⟧
⟹ ∃ α1'' δ1''. (set α1'' ⊆ E⇘ES1⇙ ∧ set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙
∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []
∧ δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙)"
proof (induct "length ((c # δ2'') ↿ E⇘ES1⇙)" arbitrary: β α1' c δ2'')
case 0
from 0(2) validES1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES1⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α1' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E1: "c' ∈ E⇘ES1⇙"
and cδ2''_is_μc'ν: "c # δ2'' = μ @ [c'] @ ν"
and νE1_empty: "ν ↿ E⇘ES1⇙ = []"
and n_is_length_μνE1: "n = length ((μ @ ν) ↿ E⇘ES1⇙)"
by blast
from Suc(5) c'_in_E1 cδ2''_is_μc'ν
have "set (μ ↿ E⇘ES1⇙ @ [c']) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp only: cδ2''_is_μc'ν projection_concatenation_commute
projection_def, auto)
hence c'_in_Cv1_inter_Upsilon1: "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by auto
hence c'_in_Cv1: "c' ∈ C⇘𝒱1⇙" and c'_in_Upsilon1: "c' ∈ Υ⇘Γ1⇙"
by auto
with validV1 have c'_in_E1: "c' ∈ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ2''_is_μc'ν have c_is_c': "c = c'" and δ2''_is_ν: "δ2'' = ν"
by auto
with c'_in_Cv1_inter_Upsilon1 have "c ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by simp
moreover
note v'_in_Vv1_inter_Nabla1
moreover
from v'_in_E1 Suc(3) have "(β ↿ E⇘ES1⇙) @ [v'] @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4) FCI1
ultimately obtain α1'' γ
where one: "set γ ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and two: "β ↿ E⇘ES1⇙ @ [c] @ γ @ [v'] @ α1'' ∈ Tr⇘ES1⇙"
and three: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and four: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCI_def
by blast
let ?DELTA1'' = "ν ↿ E⇘ES1⇙ @ γ"
from two validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from one νE1_empty
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
proof -
from c_is_c' c'_in_E1 have "[c] = [c] ↿ E⇘ES1⇙"
by (simp add: projection_def)
moreover
from v'_in_E1 have "[v'] = [v'] ↿ E⇘ES1⇙"
by (simp add: projection_def)
moreover
note νE1_empty two
ultimately show ?thesis
by auto
qed
moreover
note three four
moreover
have "?DELTA1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
proof -
have "γ ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = []"
proof -
from validV1 have "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = {}"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with projection_intersection_neutral[OF one, of "C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"]
show ?thesis
by (simp add: projection_def)
qed
with δ2''_is_ν νE1_empty show ?thesis
by (simp add: projection_concatenation_commute)
qed
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ2''_is_μc'ν have μ_is_c_xs: "μ = [c] @ xs"
and δ2''_is_xs_c'_ν: "δ2'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE1 have "n = length ((c # (xs @ ν)) ↿ E⇘ES1⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ2''_is_μc'ν μ_is_c_xs νE1_empty
show ?thesis
by (subst res, simp only: cδ2''_is_μc'ν projection_concatenation_commute
set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ2''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover note Suc(1)[of c "xs @ ν" β α1']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES1⇙"
and two: "set γ ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and three: "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ @ [v'] ↿ E⇘ES1⇙ @ δ ∈ Tr⇘ES1⇙"
and four: "δ ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and five: "δ ↿ C⇘𝒱1⇙ = []"
and six: "γ ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = (xs @ ν) ↿ E⇘ES1⇙"
by blast
let ?BETA = "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ"
note c'_in_Cv1_inter_Upsilon1 v'_in_Vv1_inter_Nabla1
moreover
from three v'_in_E1 have "?BETA @ [v'] @ δ ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note five FCI1
ultimately obtain α1'' δ'
where fci_one: "set δ' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and fci_two: "?BETA @ [c'] @ δ' @ [v'] @ α1'' ∈ Tr⇘ES1⇙"
and fci_three: "α1'' ↿ V⇘𝒱1⇙ = δ ↿ V⇘𝒱1⇙"
and fci_four: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCI_def
by blast
let ?DELTA1'' = "γ @ [c'] @ δ'"
from fci_two validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
proof -
from Suc(7) c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν
have "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with two fci_one show ?thesis
by auto
qed
moreover
from fci_two v'_in_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
from fci_three four have "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
by simp
moreover
note fci_four
moreover
have "?DELTA1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
proof -
have "δ' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = []"
proof -
from fci_one have "∀ e ∈ set δ'. e ∈ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with validV1 have "∀ e ∈ set δ'. e ∉ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (simp add: projection_def)
qed
with c'_in_E1 c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν νE1_empty six
show ?thesis
by (simp only: projection_concatenation_commute projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E1α1'_in_Tr1 α1'Cv1_empty cδ2''E1_in_Cv1_inter_Upsilon1star
c_in_Cv_inter_Upsilon δ2''_in_N2_inter_Delta2star]
obtain α1'' δ1''
where one: "set α1'' ⊆ E⇘ES1⇙"
and two: "set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and three: "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []"
and four: "δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
by blast
note one two three
moreover
have "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
proof -
from projection_intersection_neutral[OF two, of "E⇘ES2⇙"]
Nv1_inter_Delta1_inter_E2_empty validV2
have "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES2⇙)"
by (simp only: Int_Un_distrib2, auto)
moreover
from validV2
have "C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES2⇙ = C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately have "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by simp
hence "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by (simp add: projection_def)
with four have "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙ ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by simp
hence "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ E⇘ES1⇙"
by (simp only: projection_commute)
with δ2''_in_N2_inter_Delta2star show ?thesis
by (simp only: list_subset_iff_projection_neutral)
qed
ultimately show ?thesis
by blast
next
assume v'_notin_E1: "v' ∉ E⇘ES1⇙"
have "⟦ (β @ [v']) ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙ ;
α1' ↿ C⇘𝒱1⇙ = []; set ((c # δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ;
c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ; set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ⟧
⟹ ∃ α1'' δ1''. (set α1'' ⊆ E⇘ES1⇙ ∧ set δ1'' ⊆ N⇘𝒱1⇙
∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2
⇙ ∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []
∧ δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙)"
proof (induct "length ((c # δ2'') ↿ E⇘ES1⇙)" arbitrary: β α1' c δ2'')
case 0
from 0(2) validES1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES1⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α1' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E1: "c' ∈ E⇘ES1⇙"
and cδ2''_is_μc'ν: "c # δ2'' = μ @ [c'] @ ν"
and νE1_empty: "ν ↿ E⇘ES1⇙ = []"
and n_is_length_μνE1: "n = length ((μ @ ν) ↿ E⇘ES1⇙)"
by blast
from Suc(5) c'_in_E1 cδ2''_is_μc'ν
have "set (μ ↿ E⇘ES1⇙ @ [c']) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp only: cδ2''_is_μc'ν projection_concatenation_commute
projection_def, auto)
hence c'_in_Cv1_inter_Upsilon1: "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by auto
hence c'_in_Cv1: "c' ∈ C⇘𝒱1⇙" and c'_in_Upsilon1: "c' ∈ Υ⇘Γ1⇙"
by auto
with validV1 have c'_in_E1: "c' ∈ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ2''_is_μc'ν have c_is_c': "c = c'"
and δ2''_is_ν: "δ2'' = ν"
by auto
with c'_in_Cv1_inter_Upsilon1 have "c ∈ C⇘𝒱1⇙"
by simp
moreover
from v'_notin_E1 Suc(3) have "(β ↿ E⇘ES1⇙) @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4)
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ (β ↿ E⇘ES1⇙) c"
proof -
have "β ↿ E⇘ES1⇙ @ [c] ∈ Tr⇘ES1⇙"
proof -
from c_is_c' c'_in_Cv1_inter_Upsilon1
have "c ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by simp
moreover
from validES1 Suc(3)
have "(β ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
by (simp only: ES_valid_def traces_prefixclosed_def
projection_concatenation_commute
prefixclosed_def prefix_def, auto)
moreover
note total_ES1_C1_inter_Upsilon1
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA1
ultimately obtain α1''
where one: "(β ↿ E⇘ES1⇙) @ [c] @ α1'' ∈ Tr⇘ES1⇙"
and two: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and three: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA1'' = "ν ↿ E⇘ES1⇙"
from one validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from νE1_empty
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by simp
moreover
from c_is_c' c'_in_E1 one v'_notin_E1 νE1_empty
have "(β ↿ E⇘ES1⇙) @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note two three
moreover
from νE1_empty δ2''_is_ν have "?DELTA1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
by (simp add: projection_def)
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ2''_is_μc'ν
have μ_is_c_xs: "μ = [c] @ xs" and δ2''_is_xs_c'_ν: "δ2'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE1 have "n = length ((c # (xs @ ν)) ↿ E⇘ES1⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ2''_is_μc'ν μ_is_c_xs νE1_empty
show ?thesis
by (subst res, simp only: cδ2''_is_μc'ν projection_concatenation_commute
set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ2''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover note Suc(1)[of c "xs @ ν" β α1']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES1⇙"
and two: "set γ ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and three: "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ @ [v'] ↿ E⇘ES1⇙ @ δ ∈ Tr⇘ES1⇙"
and four: "δ ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and five: "δ ↿ C⇘𝒱1⇙ = []"
and six: "γ ↿ E⇘ES2⇙ = (xs @ ν) ↿ E⇘ES1⇙"
by blast
let ?BETA = "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ"
from c'_in_Cv1_inter_Upsilon1 have "c' ∈ C⇘𝒱1⇙"
by auto
moreover
from three v'_notin_E1 have "?BETA @ δ ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note five
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ ?BETA c'"
proof -
have "?BETA @ [c'] ∈ Tr⇘ES1⇙"
proof -
from validES1 three
have "?BETA ∈ Tr⇘ES1⇙"
by (simp only: ES_valid_def traces_prefixclosed_def
projection_concatenation_commute
prefixclosed_def prefix_def, auto)
moreover
note c'_in_Cv1_inter_Upsilon1 total_ES1_C1_inter_Upsilon1
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA1
ultimately obtain α1''
where bsia_one: "?BETA @ [c'] @ α1'' ∈ Tr⇘ES1⇙"
and bsia_two: "α1'' ↿ V⇘𝒱1⇙ = δ ↿ V⇘𝒱1⇙"
and bsia_three: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA1'' = "γ @ [c']"
from bsia_one validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add:isViewOn_def ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
proof -
from Suc(7) c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν
have "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with two show ?thesis
by auto
qed
moreover
from bsia_one v'_notin_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
from bsia_two four have "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
by simp
moreover
note bsia_three
moreover
have "?DELTA1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
proof -
from validV2 Suc(7) δ2''_is_xs_c'_ν
have "c' ∈ E⇘ES2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with c'_in_E1 c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν νE1_empty six
show ?thesis
by (simp only: projection_concatenation_commute projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E1α1'_in_Tr1 α1'Cv1_empty cδ2''E1_in_Cv1_inter_Upsilon1star
c_in_Cv_inter_Upsilon δ2''_in_N2_inter_Delta2star]
show ?thesis
by blast
qed
then obtain α1'' δ1''
where α1''_in_E1star: "set α1'' ⊆ E⇘ES1⇙"
and δ1''_in_N1_inter_Delta1star:"set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and βE1_cE1_δ1''_v'E1_α1''_in_Tr1:
"β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_α1'Vv1: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
and δ1''E2_is_δ2''E1: "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
by blast
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 βE2_cE2_δ2''_v'E2_α2''_in_Tr2
validES1 validES2
have δ1''_in_E1star: "set δ1'' ⊆ E⇘ES1⇙" and δ2''_in_E2star: "set δ2'' ⊆ E⇘ES2⇙"
by (simp_all add: ES_valid_def traces_contain_events_def, auto)
with δ1''E2_is_δ2''E1 merge_property[of δ1'' "E⇘ES1⇙" δ2'' "E⇘ES2⇙"] obtain δ'
where δ'E1_is_δ1'': "δ' ↿ E⇘ES1⇙ = δ1''"
and δ'E2_is_δ2'': "δ' ↿ E⇘ES2⇙ = δ2''"
and δ'_contains_only_δ1''_δ2''_events: "set δ' ⊆ set δ1'' ∪ set δ2''"
unfolding Let_def
by auto
let ?TAU = "β @ [c] @ δ' @ [v']"
let ?LAMBDA = "α ↿ V⇘𝒱⇙"
let ?T1 = α1''
let ?T2 = α2''
have "?TAU ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1'' validES1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ' ↿ E⇘ES1⇙ @ [v'] ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: projection_def, auto)
moreover
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2'' validES2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ' ↿ E⇘ES2⇙ @ [v'] ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: projection_def, auto)
moreover
from βv'α_in_Tr c_in_Cv_inter_Upsilon VIsViewOnE
δ'_contains_only_δ1''_δ2''_events δ1''_in_E1star δ2''_in_E2star
have "set (β @ [c] @ δ' @ [v']) ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙"
unfolding composeES_def isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def
by auto
ultimately show ?thesis
unfolding composeES_def
by auto
qed
hence "set ?TAU ⊆ E⇘(ES1 ∥ ES2)⇙"
unfolding composeES_def
by auto
moreover
have "set ?LAMBDA ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
note α1''_in_E1star α2''_in_E2star
moreover
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1''
have "?TAU ↿ E⇘ES1⇙ @ ?T1 ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2''
have "?TAU ↿ E⇘ES2⇙ @ ?T2 ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
have "?LAMBDA ↿ E⇘ES1⇙ = ?T1 ↿ V⇘𝒱⇙"
proof -
from propSepViews have "?LAMBDA ↿ E⇘ES1⇙ = α ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def by (simp add: projection_sequence)
moreover
from α1''_in_E1star propSepViews
have "?T1 ↿ V⇘𝒱⇙ = ?T1 ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α1'Vv1_is_αVv1 α1''Vv1_is_α1'Vv1
ultimately show ?thesis
by simp
qed
moreover
have "?LAMBDA ↿ E⇘ES2⇙ = ?T2 ↿ V⇘𝒱⇙"
proof -
from propSepViews
have "?LAMBDA ↿ E⇘ES2⇙ = α ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def by (simp add: projection_sequence)
moreover
from α2''_in_E2star propSepViews
have "?T2 ↿ V⇘𝒱⇙ = ?T2 ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α2'Vv2_is_αVv2 α2''Vv2_is_α2'Vv2
ultimately show ?thesis
by simp
qed
moreover
note α1''Cv1_empty α2''Cv2_empty generalized_zipping_lemma
ultimately obtain t
where "?TAU @ t ∈ Tr⇘(ES1 ∥ ES2)⇙"
and "t ↿ V⇘𝒱⇙ = ?LAMBDA"
and "t ↿ C⇘𝒱⇙ = []"
by blast
moreover
have "set δ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙"
proof -
from δ'_contains_only_δ1''_δ2''_events
δ1''_in_N1_inter_Delta1star δ2''_in_N2_inter_Delta2star
have "set δ' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with Delta1_N1_Delta2_N2_subset_Delta Nv1_union_Nv2_subsetof_Nv
show ?thesis
by auto
qed
ultimately
have "∃α' γ'. (set γ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙ ∧ β @ [c] @ γ' @ [v'] @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by (simp only: append_assoc, blast)
}
moreover {
assume Nv2_inter_Delta2_inter_E1_empty: "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {}"
and Nv1_inter_Delta1_inter_E2_subsetof_Upsilon2: "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙"
let ?ALPHA1''_DELTA1'' = "∃ α1'' δ1''. (
set α1'' ⊆ E⇘ES1⇙ ∧ set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = [])"
from c_in_Cv_inter_Upsilon v'_in_Vv_inter_Nabla validV1
have "c ∉ E⇘ES1⇙ ∨ (c ∈ E⇘ES1⇙ ∧ v' ∉ E⇘ES1⇙) ∨ (c ∈ E⇘ES1⇙ ∧ v' ∈ E⇘ES1⇙)"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def)
moreover {
assume c_notin_E1: "c ∉ E⇘ES1⇙"
from validES1 βv'E1α1'_in_Tr1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from βv'E1α1'_in_Tr1 c_notin_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
have "α1' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙" ..
moreover
note α1'Cv1_empty
ultimately have ?ALPHA1''_DELTA1''
by blast
}
moreover {
assume c_in_E1: "c ∈ E⇘ES1⇙"
and v'_notin_E1: "v' ∉ E⇘ES1⇙"
from c_in_E1 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E1_subset_Upsilon1
have c_in_Cv1_inter_Upsilon1: "c ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def by auto
hence "c ∈ C⇘𝒱1⇙"
by auto
moreover
from βv'E1α1'_in_Tr1 v'_notin_E1 have "β ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note α1'Cv1_empty
moreover
have "(Adm 𝒱1 ρ1 Tr⇘ES1⇙ (β ↿ E⇘ES1⇙) c)"
proof -
from validES1 βv'E1α1'_in_Tr1 v'_notin_E1 have "β ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def projection_concatenation_commute)
with total_ES1_C1_inter_Upsilon1 c_in_Cv1_inter_Upsilon1
have "β ↿ E⇘ES1⇙ @ [c] ∈ Tr⇘ES1⇙"
by (simp add: total_def)
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA1
ultimately obtain α1''
where one: "β ↿ E⇘ES1⇙ @ [c] @ α1'' ∈ Tr⇘ES1⇙"
and two: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and three: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSIA_def
by blast
from one validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from one c_in_E1 v'_notin_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note two three
ultimately have ?ALPHA1''_DELTA1''
by blast
}
moreover {
assume c_in_E1: "c ∈ E⇘ES1⇙"
and v'_in_E1: "v' ∈ E⇘ES1⇙"
from c_in_E1 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E1_subset_Upsilon1
have c_in_Cv1_inter_Upsilon1: "c ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E1 propSepViews v'_in_Vv_inter_Nabla Nabla_inter_E1_subset_Nabla1
have "v' ∈ V⇘𝒱1⇙ ∩ Nabla Γ1"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E1 βv'E1α1'_in_Tr1 have "β ↿ E⇘ES1⇙ @ [v'] @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note α1'Cv1_empty FCI1
ultimately obtain α1'' δ1''
where one: "set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and two: "β ↿ E⇘ES1⇙ @ [c] @ δ1'' @ [v'] @ α1'' ∈ Tr⇘ES1⇙"
and three: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and four: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCI_def
by blast
from two validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
note one
moreover
from two c_in_E1 v'_in_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note three four
ultimately have ?ALPHA1''_DELTA1''
by blast
}
ultimately obtain α1'' δ1''
where α1''_in_E1star: "set α1'' ⊆ E⇘ES1⇙"
and δ1''_in_N1_inter_Delta1star:"set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and βE1_cE1_δ1''_v'E1_α1''_in_Tr1:
"β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_α1'Vv1: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
by blast
from c_in_Cv_inter_Upsilon Upsilon_inter_E2_subset_Upsilon2 propSepViews
have cE2_in_Cv2_inter_Upsilon2: "set ([c] ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def by (simp add: projection_def, auto)
from δ1''_in_N1_inter_Delta1star Nv1_inter_Delta1_inter_E2_subsetof_Upsilon2
propSepViews disjoint_Nv1_Vv2
have δ1''E2_in_Cv2_inter_Upsilon2star: "set (δ1'' ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
from δ1''_in_N1_inter_Delta1star have eq: "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙)"
by (metis Int_commute Int_left_commute Int_lower2 Int_lower1
projection_intersection_neutral subset_trans)
from validV2 Nv1_inter_Delta1_inter_E2_subsetof_Upsilon2
propSepViews disjoint_Nv1_Vv2
have "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (subst eq, simp only: projection_def, auto)
qed
have cδ1''E2_in_Cv2_inter_Upsilon2star: "set ((c # δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
from cE2_in_Cv2_inter_Upsilon2 δ1''E2_in_Cv2_inter_Upsilon2star
have "set (([c] @ δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by auto
qed
have "∃ α2'' δ2''. set α2'' ⊆ E⇘ES2⇙
∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []
∧ δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
proof cases
assume v'_in_E2: "v' ∈ E⇘ES2⇙"
with Nabla_inter_E2_subset_Nabla2
propSepViews v'_in_Vv_inter_Nabla
have v'_in_Vv2_inter_Nabla2: "v' ∈ V⇘𝒱2⇙ ∩ Nabla Γ2"
unfolding properSeparationOfViews_def by auto
have "⟦ (β @ [v']) ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙ ;
α2' ↿ C⇘𝒱2⇙ = []; set ((c # δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ;
c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ; set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ⟧
⟹ ∃ α2'' δ2''. (set α2'' ⊆ E⇘ES2⇙ ∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙
∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []
∧ δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙)"
proof (induct "length ((c # δ1'') ↿ E⇘ES2⇙)" arbitrary: β α2' c δ1'')
case 0
from 0(2) validES2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES2⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α2' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E2: "c' ∈ E⇘ES2⇙"
and cδ1''_is_μc'ν: "c # δ1'' = μ @ [c'] @ ν"
and νE2_empty: "ν ↿ E⇘ES2⇙ = []"
and n_is_length_μνE2: "n = length ((μ @ ν) ↿ E⇘ES2⇙)"
by blast
from Suc(5) c'_in_E2 cδ1''_is_μc'ν
have "set (μ ↿ E⇘ES2⇙ @ [c']) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp only: cδ1''_is_μc'ν projection_concatenation_commute
projection_def, auto)
hence c'_in_Cv2_inter_Upsilon2: "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by auto
hence c'_in_Cv2: "c' ∈ C⇘𝒱2⇙" and c'_in_Upsilon2: "c' ∈ Υ⇘Γ2⇙"
by auto
with validV2 have c'_in_E2: "c' ∈ E⇘ES2⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ1''_is_μc'ν have c_is_c': "c = c'" and δ1''_is_ν: "δ1'' = ν"
by auto
with c'_in_Cv2_inter_Upsilon2 have "c ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by simp
moreover
note v'_in_Vv2_inter_Nabla2
moreover
from v'_in_E2 Suc(3) have "(β ↿ E⇘ES2⇙) @ [v'] @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4) FCI2
ultimately obtain α2'' γ
where one: "set γ ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and two: "β ↿ E⇘ES2⇙ @ [c] @ γ @ [v'] @ α2'' ∈ Tr⇘ES2⇙"
and three: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and four: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCI_def
by blast
let ?DELTA2'' = "ν ↿ E⇘ES2⇙ @ γ"
from two validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from one νE2_empty
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
proof -
from c_is_c' c'_in_E2 have "[c] = [c] ↿ E⇘ES2⇙"
by (simp add: projection_def)
moreover
from v'_in_E2 have "[v'] = [v'] ↿ E⇘ES2⇙"
by (simp add: projection_def)
moreover
note νE2_empty two
ultimately show ?thesis
by auto
qed
moreover
note three four
moreover
have "?DELTA2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
proof -
have "γ ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = []"
proof -
from validV2 have "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = {}"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with projection_intersection_neutral[OF one, of "C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"]
show ?thesis
by (simp add: projection_def)
qed
with δ1''_is_ν νE2_empty show ?thesis
by (simp add: projection_concatenation_commute)
qed
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ1''_is_μc'ν have μ_is_c_xs: "μ = [c] @ xs"
and δ1''_is_xs_c'_ν: "δ1'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE2 have "n = length ((c # (xs @ ν)) ↿ E⇘ES2⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ1''_is_μc'ν μ_is_c_xs νE2_empty
show ?thesis
by (subst res, simp only: cδ1''_is_μc'ν
projection_concatenation_commute set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ1''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover note Suc(1)[of c "xs @ ν" β α2']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES2⇙"
and two: "set γ ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and three: "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ @ [v'] ↿ E⇘ES2⇙ @ δ ∈ Tr⇘ES2⇙"
and four: "δ ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and five: "δ ↿ C⇘𝒱2⇙ = []"
and six: "γ ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = (xs @ ν) ↿ E⇘ES2⇙"
by blast
let ?BETA = "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ"
note c'_in_Cv2_inter_Upsilon2 v'_in_Vv2_inter_Nabla2
moreover
from three v'_in_E2 have "?BETA @ [v'] @ δ ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note five FCI2
ultimately obtain α2'' δ'
where fci_one: "set δ' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and fci_two: "?BETA @ [c'] @ δ' @ [v'] @ α2'' ∈ Tr⇘ES2⇙"
and fci_three: "α2'' ↿ V⇘𝒱2⇙ = δ ↿ V⇘𝒱2⇙"
and fci_four: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCI_def
by blast
let ?DELTA2'' = "γ @ [c'] @ δ'"
from fci_two validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
proof -
from Suc(7) c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν
have "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with two fci_one show ?thesis
by auto
qed
moreover
from fci_two v'_in_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
from fci_three four have "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
by simp
moreover
note fci_four
moreover
have "?DELTA2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
proof -
have "δ' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = []"
proof -
from fci_one have "∀ e ∈ set δ'. e ∈ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with validV2 have "∀ e ∈ set δ'. e ∉ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (simp add: projection_def)
qed
with c'_in_E2 c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν νE2_empty six
show ?thesis
by (simp only: projection_concatenation_commute projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E2α2'_in_Tr2 α2'Cv2_empty cδ1''E2_in_Cv2_inter_Upsilon2star
c_in_Cv_inter_Upsilon δ1''_in_N1_inter_Delta1star]
obtain α2'' δ2''
where one: "set α2'' ⊆ E⇘ES2⇙"
and two: "set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and three: "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []"
and four: "δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
by blast
note one two three
moreover
have "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
proof -
from projection_intersection_neutral[OF two, of "E⇘ES1⇙"]
Nv2_inter_Delta2_inter_E1_empty validV1
have "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES1⇙)"
by (simp only: Int_Un_distrib2, auto)
moreover
from validV1
have "C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES1⇙ = C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
ultimately have "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by simp
hence "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by (simp add: projection_def)
with four have "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙ ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by simp
hence "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ E⇘ES2⇙"
by (simp only: projection_commute)
with δ1''_in_N1_inter_Delta1star show ?thesis
by (simp only: list_subset_iff_projection_neutral)
qed
ultimately show ?thesis
by blast
next
assume v'_notin_E2: "v' ∉ E⇘ES2⇙"
have
"⟦ (β @ [v']) ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙ ; α2' ↿ C⇘𝒱2⇙ = [];
set ((c # δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ; c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ;
set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ⟧
⟹ ∃ α2'' δ2''.
(set α2'' ⊆ E⇘ES2⇙ ∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2 ⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []
∧ δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙)"
proof (induct "length ((c # δ1'') ↿ E⇘ES2⇙)" arbitrary: β α2' c δ1'')
case 0
from 0(2) validES2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES2⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α2' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E2: "c' ∈ E⇘ES2⇙"
and cδ1''_is_μc'ν: "c # δ1'' = μ @ [c'] @ ν"
and νE2_empty: "ν ↿ E⇘ES2⇙ = []"
and n_is_length_μνE2: "n = length ((μ @ ν) ↿ E⇘ES2⇙)"
by blast
from Suc(5) c'_in_E2 cδ1''_is_μc'ν have "set (μ ↿ E⇘ES2⇙ @ [c']) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp only: cδ1''_is_μc'ν projection_concatenation_commute projection_def, auto)
hence c'_in_Cv2_inter_Upsilon2: "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by auto
hence c'_in_Cv2: "c' ∈ C⇘𝒱2⇙" and c'_in_Upsilon2: "c' ∈ Υ⇘Γ2⇙"
by auto
with validV2 have c'_in_E2: "c' ∈ E⇘ES2⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ1''_is_μc'ν have c_is_c': "c = c'" and δ1''_is_ν: "δ1'' = ν"
by auto
with c'_in_Cv2_inter_Upsilon2 have "c ∈ C⇘𝒱2⇙"
by simp
moreover
from v'_notin_E2 Suc(3) have "(β ↿ E⇘ES2⇙) @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4)
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ (β ↿ E⇘ES2⇙) c"
proof -
have "β ↿ E⇘ES2⇙ @ [c] ∈ Tr⇘ES2⇙"
proof -
from c_is_c' c'_in_Cv2_inter_Upsilon2 have "c ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by simp
moreover
from validES2 Suc(3) have "(β ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp only: ES_valid_def traces_prefixclosed_def
projection_concatenation_commute
prefixclosed_def prefix_def, auto)
moreover
note total_ES2_C2_inter_Upsilon2
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA2
ultimately obtain α2''
where one: "(β ↿ E⇘ES2⇙) @ [c] @ α2'' ∈ Tr⇘ES2⇙"
and two: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and three: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA2'' = "ν ↿ E⇘ES2⇙"
from one validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from νE2_empty
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by simp
moreover
from c_is_c' c'_in_E2 one v'_notin_E2 νE2_empty
have "(β ↿ E⇘ES2⇙) @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note two three
moreover
from νE2_empty δ1''_is_ν have "?DELTA2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
by (simp add: projection_def)
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ1''_is_μc'ν have μ_is_c_xs: "μ = [c] @ xs"
and δ1''_is_xs_c'_ν: "δ1'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE2 have "n = length ((c # (xs @ ν)) ↿ E⇘ES2⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ1''_is_μc'ν μ_is_c_xs νE2_empty
show ?thesis
by (subst res, simp only: cδ1''_is_μc'ν projection_concatenation_commute
set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ1''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover note Suc(1)[of c "xs @ ν" β α2']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES2⇙"
and two: "set γ ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and three: "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ @ [v'] ↿ E⇘ES2⇙ @ δ ∈ Tr⇘ES2⇙"
and four: "δ ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and five: "δ ↿ C⇘𝒱2⇙ = []"
and six: "γ ↿ E⇘ES1⇙ = (xs @ ν) ↿ E⇘ES2⇙"
by blast
let ?BETA = "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ"
from c'_in_Cv2_inter_Upsilon2 have "c' ∈ C⇘𝒱2⇙"
by auto
moreover
from three v'_notin_E2 have "?BETA @ δ ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note five
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ ?BETA c'"
proof -
have "?BETA @ [c'] ∈ Tr⇘ES2⇙"
proof -
from validES2 three have "?BETA ∈ Tr⇘ES2⇙"
by (simp only: ES_valid_def traces_prefixclosed_def
projection_concatenation_commute prefixclosed_def prefix_def, auto)
moreover
note c'_in_Cv2_inter_Upsilon2 total_ES2_C2_inter_Upsilon2
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA2
ultimately obtain α2''
where bsia_one: "?BETA @ [c'] @ α2'' ∈ Tr⇘ES2⇙"
and bsia_two: "α2'' ↿ V⇘𝒱2⇙ = δ ↿ V⇘𝒱2⇙"
and bsia_three: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA2'' = "γ @ [c']"
from bsia_one validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
proof -
from Suc(7) c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν
have "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with two show ?thesis
by auto
qed
moreover
from bsia_one v'_notin_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
from bsia_two four have "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
by simp
moreover
note bsia_three
moreover
have "?DELTA2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
proof -
from validV1 Suc(7) δ1''_is_xs_c'_ν have "c' ∈ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with c'_in_E2 c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν νE2_empty six
show ?thesis
by (simp only: projection_concatenation_commute
projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E2α2'_in_Tr2 α2'Cv2_empty cδ1''E2_in_Cv2_inter_Upsilon2star
c_in_Cv_inter_Upsilon δ1''_in_N1_inter_Delta1star]
show ?thesis
by blast
qed
then obtain α2'' δ2''
where α2''_in_E2star: "set α2'' ⊆ E⇘ES2⇙"
and δ2''_in_N2_inter_Delta2star:"set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and βE2_cE2_δ2''_v'E2_α2''_in_Tr2:
"β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_α2'Vv2: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
and δ2''E1_is_δ1''E2: "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
by blast
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 βE1_cE1_δ1''_v'E1_α1''_in_Tr1
validES2 validES1
have δ2''_in_E2star: "set δ2'' ⊆ E⇘ES2⇙" and δ1''_in_E1star: "set δ1'' ⊆ E⇘ES1⇙"
by (simp_all add: ES_valid_def traces_contain_events_def, auto)
with δ2''E1_is_δ1''E2 merge_property[of δ2'' "E⇘ES2⇙" δ1'' "E⇘ES1⇙"] obtain δ'
where δ'E2_is_δ2'': "δ' ↿ E⇘ES2⇙ = δ2''"
and δ'E1_is_δ1'': "δ' ↿ E⇘ES1⇙ = δ1''"
and δ'_contains_only_δ2''_δ1''_events: "set δ' ⊆ set δ2'' ∪ set δ1''"
unfolding Let_def
by auto
let ?TAU = "β @ [c] @ δ' @ [v']"
let ?LAMBDA = "α ↿ V⇘𝒱⇙"
let ?T2 = α2''
let ?T1 = α1''
have "?TAU ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2'' validES2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ' ↿ E⇘ES2⇙ @ [v'] ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: projection_def, auto)
moreover
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1'' validES1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ' ↿ E⇘ES1⇙ @ [v'] ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: projection_def, auto)
moreover
from βv'α_in_Tr c_in_Cv_inter_Upsilon VIsViewOnE δ'_contains_only_δ2''_δ1''_events
δ2''_in_E2star δ1''_in_E1star
have "set (β @ [c] @ δ' @ [v']) ⊆ E⇘ES2⇙ ∪ E⇘ES1⇙"
unfolding composeES_def isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def
by auto
ultimately show ?thesis
unfolding composeES_def
by auto
qed
hence "set ?TAU ⊆ E⇘(ES1 ∥ ES2)⇙"
unfolding composeES_def
by auto
moreover
have "set ?LAMBDA ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
note α2''_in_E2star α1''_in_E1star
moreover
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2''
have "?TAU ↿ E⇘ES2⇙ @ ?T2 ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1''
have "?TAU ↿ E⇘ES1⇙ @ ?T1 ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
have "?LAMBDA ↿ E⇘ES2⇙ = ?T2 ↿ V⇘𝒱⇙"
proof -
from propSepViews
have "?LAMBDA ↿ E⇘ES2⇙ = α ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def by (simp only: projection_sequence)
moreover
from α2''_in_E2star propSepViews
have "?T2 ↿ V⇘𝒱⇙ = ?T2 ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α2'Vv2_is_αVv2 α2''Vv2_is_α2'Vv2
ultimately show ?thesis
by simp
qed
moreover
have "?LAMBDA ↿ E⇘ES1⇙ = ?T1 ↿ V⇘𝒱⇙"
proof -
from propSepViews
have "?LAMBDA ↿ E⇘ES1⇙ = α ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def by (simp add: projection_sequence)
moreover
from α1''_in_E1star propSepViews
have "?T1 ↿ V⇘𝒱⇙ = ?T1 ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α1'Vv1_is_αVv1 α1''Vv1_is_α1'Vv1
ultimately show ?thesis
by simp
qed
moreover
note α2''Cv2_empty α1''Cv1_empty generalized_zipping_lemma
ultimately obtain t
where "?TAU @ t ∈ Tr⇘(ES1 ∥ ES2)⇙"
and "t ↿ V⇘𝒱⇙ = ?LAMBDA"
and "t ↿ C⇘𝒱⇙ = []"
by blast
moreover
have "set δ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙"
proof -
from δ'_contains_only_δ2''_δ1''_events δ2''_in_N2_inter_Delta2star
δ1''_in_N1_inter_Delta1star
have "set δ' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with Delta1_N1_Delta2_N2_subset_Delta Nv1_union_Nv2_subsetof_Nv show ?thesis
by auto
qed
ultimately have "∃α' γ'. (set γ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙ ∧ β @ [c] @ γ' @ [v'] @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by (simp only: append_assoc, blast)
}
ultimately have "∃α' γ'. (set γ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙ ∧ β @ [c] @ γ' @ [v'] @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by blast
}
thus ?thesis
unfolding FCI_def
by blast
qed
theorem compositionality_FCIA:
"⟦ BSD 𝒱1 Tr⇘ES1⇙; BSD 𝒱2 Tr⇘ES2⇙; BSIA ρ1 𝒱1 Tr⇘ES1⇙; BSIA ρ2 𝒱2 Tr⇘ES2⇙;
(ρ1 𝒱1) ⊆ (ρ 𝒱) ∩ E⇘ES1⇙; (ρ2 𝒱2) ⊆ (ρ 𝒱) ∩ E⇘ES2⇙;
total ES1 (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙); total ES2 (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙);
∇⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ ∇⇘Γ1⇙; ∇⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ ∇⇘Γ2⇙;
Υ⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙; Υ⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙;
( Δ⇘Γ1⇙ ∩ N⇘𝒱1⇙ ∪ Δ⇘Γ2⇙ ∩ N⇘𝒱2⇙ ) ⊆ Δ⇘Γ⇙;
(N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙)
∨ ( N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {} ∧ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙) ;
FCIA ρ1 Γ1 𝒱1 Tr⇘ES1⇙; FCIA ρ2 Γ2 𝒱2 Tr⇘ES2⇙ ⟧
⟹ FCIA ρ Γ 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume BSD1: "BSD 𝒱1 Tr⇘ES1⇙"
and BSD2: "BSD 𝒱2 Tr⇘ES2⇙"
and BSIA1: "BSIA ρ1 𝒱1 Tr⇘ES1⇙"
and BSIA2: "BSIA ρ2 𝒱2 Tr⇘ES2⇙"
and ρ1v1_subset_ρv_inter_E1: "(ρ1 𝒱1) ⊆ (ρ 𝒱) ∩ E⇘ES1⇙"
and ρ2v2_subset_ρv_inter_E2: "(ρ2 𝒱2) ⊆ (ρ 𝒱) ∩ E⇘ES2⇙"
and total_ES1_C1_inter_Upsilon1_inter_N2_inter_Delta2:
"total ES1 (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
and total_ES2_C2_inter_Upsilon2_inter_N1_inter_Delta1:
"total ES2 (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
and Nabla_inter_E1_subset_Nabla1: "∇⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ ∇⇘Γ1⇙"
and Nabla_inter_E2_subset_Nabla2: "∇⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ ∇⇘Γ2⇙"
and Upsilon_inter_E1_subset_Upsilon1: "Υ⇘Γ⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙"
and Upsilon_inter_E2_subset_Upsilon2: "Υ⇘Γ⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙"
and Delta1_N1_Delta2_N2_subset_Delta: "( Δ⇘Γ1⇙ ∩ N⇘𝒱1⇙ ∪ Δ⇘Γ2⇙ ∩ N⇘𝒱2⇙ ) ⊆ Δ⇘Γ⇙"
and very_long_asm: "(N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {} ∧ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙)
∨ ( N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {} ∧ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙)"
and FCIA1: "FCIA ρ1 Γ1 𝒱1 Tr⇘ES1⇙"
and FCIA2: "FCIA ρ2 Γ2 𝒱2 Tr⇘ES2⇙"
{
fix α β c v'
assume c_in_Cv_inter_Upsilon: "c ∈ (C⇘𝒱⇙ ∩ Υ⇘Γ⇙)"
and v'_in_Vv_inter_Nabla: "v' ∈ (V⇘𝒱⇙ ∩ ∇⇘Γ⇙)"
and βv'α_in_Tr: "(β @ [v'] @ α) ∈ Tr⇘(ES1 ∥ ES2)⇙"
and αCv_empty: "α ↿ C⇘𝒱⇙ = []"
and Adm: "Adm 𝒱 ρ (Tr⇘(ES1 ∥ ES2)⇙) β c"
interpret CSES1: CompositionSupport "ES1" "𝒱" "𝒱1"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES1 validV1)
interpret CSES2: CompositionSupport "ES2" "𝒱" "𝒱2"
using propSepViews unfolding properSeparationOfViews_def
by (simp add: CompositionSupport_def validES2 validV2)
from βv'α_in_Tr
have βv'α_E1_in_Tr1: "(((β @ [v']) @ α) ↿ E⇘ES1⇙) ∈ Tr⇘ES1⇙"
and βv'α_E2_in_Tr2: "(((β @ [v']) @ α) ↿ E⇘ES2⇙) ∈ Tr⇘ES2⇙"
by (simp add: composeES_def)+
from CSES1.BSD_in_subsystem2[OF βv'α_E1_in_Tr1 BSD1] obtain α1'
where βv'E1α1'_in_Tr1: "(β @ [v']) ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
and α1'Vv1_is_αVv1: "α1' ↿ V⇘𝒱1⇙ = α ↿ V⇘𝒱1⇙"
and α1'Cv1_empty: "α1' ↿ C⇘𝒱1⇙ = []"
by auto
from CSES2.BSD_in_subsystem2[OF βv'α_E2_in_Tr2 BSD2] obtain α2'
where βv'E2α2'_in_Tr2: "(β @ [v']) ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
and α2'Vv2_is_αVv2: "α2' ↿ V⇘𝒱2⇙ = α ↿ V⇘𝒱2⇙"
and α2'Cv2_empty: "α2' ↿ C⇘𝒱2⇙ = []"
by auto
note very_long_asm
moreover {
assume Nv1_inter_Delta1_inter_E2_empty: "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ = {}"
and Nv2_inter_Delta2_inter_E1_subsetof_Upsilon1: "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ Υ⇘Γ1⇙"
let ?ALPHA2''_DELTA2'' = "∃ α2'' δ2''. (
set α2'' ⊆ E⇘ES2⇙ ∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = [])"
from c_in_Cv_inter_Upsilon v'_in_Vv_inter_Nabla validV2
have "c ∉ E⇘ES2⇙ ∨ (c ∈ E⇘ES2⇙ ∧ v' ∉ E⇘ES2⇙) ∨ (c ∈ E⇘ES2⇙ ∧ v' ∈ E⇘ES2⇙)"
by (simp add: V_valid_def isViewOn_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def)
moreover {
assume c_notin_E2: "c ∉ E⇘ES2⇙"
from validES2 βv'E2α2'_in_Tr2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from βv'E2α2'_in_Tr2 c_notin_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
have "α2' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙" ..
moreover
note α2'Cv2_empty
ultimately have ?ALPHA2''_DELTA2''
by blast
}
moreover {
assume c_in_E2: "c ∈ E⇘ES2⇙"
and v'_notin_E2: "v' ∉ E⇘ES2⇙"
from c_in_E2 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E2_subset_Upsilon2
have c_in_Cv2_inter_Upsilon2: "c ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def by auto
hence "c ∈ C⇘𝒱2⇙"
by auto
moreover
from βv'E2α2'_in_Tr2 v'_notin_E2 have "β ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note α2'Cv2_empty
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ (β ↿ E⇘ES2⇙) c"
proof -
from Adm obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_in_E2 γc_in_Tr have "(γ ↿ E⇘ES2⇙) @ [c] ∈ Tr⇘ES2⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2) = β ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES2⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES2⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ2v2_subset_ρv_inter_E2 have "γ ↿ (ρ2 𝒱2) = β ↿ (ρ2 𝒱2)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note BSIA2
ultimately obtain α2''
where one: "β ↿ E⇘ES2⇙ @ [c] @ α2'' ∈ Tr⇘ES2⇙"
and two: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and three: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSIA_def
by blast
from one validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from one c_in_E2 v'_notin_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note two three
ultimately have ?ALPHA2''_DELTA2''
by blast
}
moreover {
assume c_in_E2: "c ∈ E⇘ES2⇙"
and v'_in_E2: "v' ∈ E⇘ES2⇙"
from c_in_E2 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E2_subset_Upsilon2
have c_in_Cv2_inter_Upsilon2: "c ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E2 propSepViews v'_in_Vv_inter_Nabla Nabla_inter_E2_subset_Nabla2
have "v' ∈ V⇘𝒱2⇙ ∩ Nabla Γ2"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E2 βv'E2α2'_in_Tr2 have "β ↿ E⇘ES2⇙ @ [v'] @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note α2'Cv2_empty
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ (β ↿ E⇘ES2⇙) c"
proof -
from Adm obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_in_E2 γc_in_Tr have "(γ ↿ E⇘ES2⇙) @ [c] ∈ Tr⇘ES2⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2) = β ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES2⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES2⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ2v2_subset_ρv_inter_E2 have "γ ↿ (ρ2 𝒱2) = β ↿ (ρ2 𝒱2)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note FCIA2
ultimately obtain α2'' δ2''
where one: "set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and two: "β ↿ E⇘ES2⇙ @ [c] @ δ2'' @ [v'] @ α2'' ∈ Tr⇘ES2⇙"
and three: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and four: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCIA_def
by blast
from two validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
note one
moreover
from two c_in_E2 v'_in_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note three four
ultimately have ?ALPHA2''_DELTA2''
by blast
}
ultimately obtain α2'' δ2''
where α2''_in_E2star: "set α2'' ⊆ E⇘ES2⇙"
and δ2''_in_N2_inter_Delta2star:"set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and βE2_cE2_δ2''_v'E2_α2''_in_Tr2:
"β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_α2'Vv2: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
by blast
from c_in_Cv_inter_Upsilon Upsilon_inter_E1_subset_Upsilon1 propSepViews
have cE1_in_Cv1_inter_Upsilon1: "set ([c] ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def by (simp add: projection_def, auto)
from δ2''_in_N2_inter_Delta2star Nv2_inter_Delta2_inter_E1_subsetof_Upsilon1
propSepViews disjoint_Nv2_Vv1
have δ2''E1_in_Cv1_inter_Upsilon1star: "set (δ2'' ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
from δ2''_in_N2_inter_Delta2star
have eq: "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙)"
by (metis Int_commute Int_left_commute Int_lower1 Int_lower2
projection_intersection_neutral subset_trans)
from validV1 Nv2_inter_Delta2_inter_E1_subsetof_Upsilon1
propSepViews disjoint_Nv2_Vv1
have "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (subst eq, simp only: projection_def, auto)
qed
have cδ2''E1_in_Cv1_inter_Upsilon1star: "set ((c # δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
from cE1_in_Cv1_inter_Upsilon1 δ2''E1_in_Cv1_inter_Upsilon1star
have "set (([c] @ δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by auto
qed
have
"∃ α1'' δ1''. set α1'' ⊆ E⇘ES1⇙ ∧ set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙
∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []
∧ δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
proof cases
assume v'_in_E1: "v' ∈ E⇘ES1⇙"
with Nabla_inter_E1_subset_Nabla1 propSepViews v'_in_Vv_inter_Nabla
have v'_in_Vv1_inter_Nabla1: "v' ∈ V⇘𝒱1⇙ ∩ Nabla Γ1"
unfolding properSeparationOfViews_def by auto
have "⟦ (β @ [v']) ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙ ;
α1' ↿ C⇘𝒱1⇙ = []; set ((c # δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ;
c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ; set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙;
Adm 𝒱 ρ (Tr⇘(ES1 ∥ ES2)⇙) β c ⟧
⟹ ∃ α1'' δ1''.
(set α1'' ⊆ E⇘ES1⇙ ∧ set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙
∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []
∧ δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙)"
proof (induct "length ((c # δ2'') ↿ E⇘ES1⇙)" arbitrary: β α1' c δ2'')
case 0
from 0(2) validES1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES1⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α1' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E1: "c' ∈ E⇘ES1⇙"
and cδ2''_is_μc'ν: "c # δ2'' = μ @ [c'] @ ν"
and νE1_empty: "ν ↿ E⇘ES1⇙ = []"
and n_is_length_μνE1: "n = length ((μ @ ν) ↿ E⇘ES1⇙)"
by blast
from Suc(5) c'_in_E1 cδ2''_is_μc'ν have "set (μ ↿ E⇘ES1⇙ @ [c']) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp only: cδ2''_is_μc'ν projection_concatenation_commute
projection_def, auto)
hence c'_in_Cv1_inter_Upsilon1: "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by auto
hence c'_in_Cv1: "c' ∈ C⇘𝒱1⇙" and c'_in_Upsilon1: "c' ∈ Υ⇘Γ1⇙"
by auto
with validV1 have c'_in_E1: "c' ∈ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ2''_is_μc'ν have c_is_c': "c = c'" and δ2''_is_ν: "δ2'' = ν"
by auto
with c'_in_Cv1_inter_Upsilon1 have "c ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by simp
moreover
note v'_in_Vv1_inter_Nabla1
moreover
from v'_in_E1 Suc(3) have "(β ↿ E⇘ES1⇙) @ [v'] @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4)
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ (β ↿ E⇘ES1⇙) c"
proof -
from Suc(8) obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_is_c' c'_in_E1 γc_in_Tr have "(γ ↿ E⇘ES1⇙) @ [c] ∈ Tr⇘ES1⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1) = β ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES1⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES1⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ1v1_subset_ρv_inter_E1 have "γ ↿ (ρ1 𝒱1) = β ↿ (ρ1 𝒱1)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note FCIA1
ultimately obtain α1'' γ
where one: "set γ ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and two: "β ↿ E⇘ES1⇙ @ [c] @ γ @ [v'] @ α1'' ∈ Tr⇘ES1⇙"
and three: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and four: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCIA_def
by blast
let ?DELTA1'' = "ν ↿ E⇘ES1⇙ @ γ"
from two validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from one νE1_empty
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
proof -
from c_is_c' c'_in_E1 have "[c] = [c] ↿ E⇘ES1⇙"
by (simp add: projection_def)
moreover
from v'_in_E1 have "[v'] = [v'] ↿ E⇘ES1⇙"
by (simp add: projection_def)
moreover
note νE1_empty two
ultimately show ?thesis
by auto
qed
moreover
note three four
moreover
have "?DELTA1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
proof -
have "γ ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = []"
proof -
from validV1 have "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = {}"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with projection_intersection_neutral[OF one, of "C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"]
show ?thesis
by (simp add: projection_def)
qed
with δ2''_is_ν νE1_empty show ?thesis
by (simp add: projection_concatenation_commute)
qed
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ2''_is_μc'ν
have μ_is_c_xs: "μ = [c] @ xs" and δ2''_is_xs_c'_ν: "δ2'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE1 have "n = length ((c # (xs @ ν)) ↿ E⇘ES1⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ2''_is_μc'ν μ_is_c_xs νE1_empty
show ?thesis
by (subst res, simp only: cδ2''_is_μc'ν
projection_concatenation_commute set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ2''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover note Suc(8) Suc(1)[of c "xs @ ν" β α1']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES1⇙"
and two: "set γ ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and three: "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ @ [v'] ↿ E⇘ES1⇙ @ δ ∈ Tr⇘ES1⇙"
and four: "δ ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and five: "δ ↿ C⇘𝒱1⇙ = []"
and six: "γ ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = (xs @ ν) ↿ E⇘ES1⇙"
by blast
let ?BETA = "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ"
note c'_in_Cv1_inter_Upsilon1 v'_in_Vv1_inter_Nabla1
moreover
from three v'_in_E1 have "?BETA @ [v'] @ δ ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note five
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ ?BETA c'"
proof -
have "?BETA @ [c'] ∈ Tr⇘ES1⇙"
proof -
from Suc(7) c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν
have "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from validES1 three have "?BETA ∈ Tr⇘ES1⇙"
by (unfold ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def, auto)
moreover
note total_ES1_C1_inter_Upsilon1_inter_N2_inter_Delta2
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note FCIA1
ultimately obtain α1'' δ'
where fcia_one: "set δ' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and fcia_two: "?BETA @ [c'] @ δ' @ [v'] @ α1'' ∈ Tr⇘ES1⇙"
and fcia_three: "α1'' ↿ V⇘𝒱1⇙ = δ ↿ V⇘𝒱1⇙"
and fcia_four: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCIA_def
by blast
let ?DELTA1'' = "γ @ [c'] @ δ'"
from fcia_two validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
proof -
from Suc(7) c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν
have "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with two fcia_one show ?thesis
by auto
qed
moreover
from fcia_two v'_in_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
from fcia_three four have "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
by simp
moreover
note fcia_four
moreover
have "?DELTA1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
proof -
have "δ' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = []"
proof -
from fcia_one have "∀ e ∈ set δ'. e ∈ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with validV1 have "∀ e ∈ set δ'. e ∉ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (simp add: projection_def)
qed
with c'_in_E1 c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν νE1_empty six
show ?thesis
by (simp only: projection_concatenation_commute projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E1α1'_in_Tr1 α1'Cv1_empty cδ2''E1_in_Cv1_inter_Upsilon1star
c_in_Cv_inter_Upsilon δ2''_in_N2_inter_Delta2star Adm]
obtain α1'' δ1''
where one: "set α1'' ⊆ E⇘ES1⇙"
and two: "set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and three: "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []"
and four: "δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) = δ2'' ↿ E⇘ES1⇙"
by blast
note one two three
moreover
have "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
proof -
from projection_intersection_neutral[OF two, of "E⇘ES2⇙"]
Nv1_inter_Delta1_inter_E2_empty validV2
have "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES2⇙)"
by (simp only: Int_Un_distrib2, auto)
moreover
from validV2
have "C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES2⇙ = C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by (simp add:isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
ultimately have "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by simp
hence "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙) ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by (simp add: projection_def)
with four have "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙ ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙)"
by simp
hence "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ (N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙) ↿ E⇘ES1⇙"
by (simp only: projection_commute)
with δ2''_in_N2_inter_Delta2star show ?thesis
by (simp only: list_subset_iff_projection_neutral)
qed
ultimately show ?thesis
by blast
next
assume v'_notin_E1: "v' ∉ E⇘ES1⇙"
have "⟦ (β @ [v']) ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙ ;
α1' ↿ C⇘𝒱1⇙ = []; set ((c # δ2'') ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ;
c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ; set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙;
Adm 𝒱 ρ (Tr⇘(ES1 ∥ ES2)⇙) β c ⟧
⟹ ∃ α1'' δ1''. (set α1'' ⊆ E⇘ES1⇙ ∧ set δ1'' ⊆ N⇘𝒱1⇙
∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙
∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = []
∧ δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙)"
proof (induct "length ((c # δ2'') ↿ E⇘ES1⇙)" arbitrary: β α1' c δ2'')
case 0
from 0(2) validES1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES1⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α1' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E1: "c' ∈ E⇘ES1⇙"
and cδ2''_is_μc'ν: "c # δ2'' = μ @ [c'] @ ν"
and νE1_empty: "ν ↿ E⇘ES1⇙ = []"
and n_is_length_μνE1: "n = length ((μ @ ν) ↿ E⇘ES1⇙)"
by blast
from Suc(5) c'_in_E1 cδ2''_is_μc'ν have "set (μ ↿ E⇘ES1⇙ @ [c']) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by (simp only: cδ2''_is_μc'ν projection_concatenation_commute projection_def, auto)
hence c'_in_Cv1_inter_Upsilon1: "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
by auto
hence c'_in_Cv1: "c' ∈ C⇘𝒱1⇙" and c'_in_Upsilon1: "c' ∈ Υ⇘Γ1⇙"
by auto
with validV1 have c'_in_E1: "c' ∈ E⇘ES1⇙"
by (simp add:isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ2''_is_μc'ν have c_is_c': "c = c'" and δ2''_is_ν: "δ2'' = ν"
by auto
with c'_in_Cv1_inter_Upsilon1 have "c ∈ C⇘𝒱1⇙"
by simp
moreover
from v'_notin_E1 Suc(3) have "(β ↿ E⇘ES1⇙) @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4)
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ (β ↿ E⇘ES1⇙) c"
proof -
from Suc(8) obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_is_c' c'_in_E1 γc_in_Tr have "(γ ↿ E⇘ES1⇙) @ [c] ∈ Tr⇘ES1⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1) = β ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES1⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES1⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ1v1_subset_ρv_inter_E1 have "γ ↿ (ρ1 𝒱1) = β ↿ (ρ1 𝒱1)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note BSIA1
ultimately obtain α1''
where one: "(β ↿ E⇘ES1⇙) @ [c] @ α1'' ∈ Tr⇘ES1⇙"
and two: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and three: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA1'' = "ν ↿ E⇘ES1⇙"
from one validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from νE1_empty
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by simp
moreover
from c_is_c' c'_in_E1 one v'_notin_E1 νE1_empty
have "(β ↿ E⇘ES1⇙) @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note two three
moreover
from νE1_empty δ2''_is_ν have "?DELTA1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
by (simp add: projection_def)
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ2''_is_μc'ν
have μ_is_c_xs: "μ = [c] @ xs" and δ2''_is_xs_c'_ν: "δ2'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE1 have "n = length ((c # (xs @ ν)) ↿ E⇘ES1⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES1⇙) ⊆ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ2''_is_μc'ν μ_is_c_xs νE1_empty
show ?thesis
by (subst res, simp only: cδ2''_is_μc'ν projection_concatenation_commute
set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ2''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover note Suc(8) Suc(1)[of c "xs @ ν" β α1']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES1⇙"
and two: "set γ ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and three: "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ @ [v'] ↿ E⇘ES1⇙ @ δ ∈ Tr⇘ES1⇙"
and four: "δ ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and five: "δ ↿ C⇘𝒱1⇙ = []"
and six: "γ ↿ E⇘ES2⇙ = (xs @ ν) ↿ E⇘ES1⇙"
by blast
let ?BETA = "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ γ"
from c'_in_Cv1_inter_Upsilon1 have "c' ∈ C⇘𝒱1⇙"
by auto
moreover
from three v'_notin_E1 have "?BETA @ δ ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note five
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ ?BETA c'"
proof -
have "?BETA @ [c'] ∈ Tr⇘ES1⇙"
proof -
from Suc(7) c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν
have "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
moreover
from validES1 three have "?BETA ∈ Tr⇘ES1⇙"
by (unfold ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def, auto)
moreover
note total_ES1_C1_inter_Upsilon1_inter_N2_inter_Delta2
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA1
ultimately obtain α1''
where bsia_one: "?BETA @ [c'] @ α1'' ∈ Tr⇘ES1⇙"
and bsia_two: "α1'' ↿ V⇘𝒱1⇙ = δ ↿ V⇘𝒱1⇙"
and bsia_three: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA1'' = "γ @ [c']"
from bsia_one validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
proof -
from Suc(7) c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν
have "c' ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with two show ?thesis
by auto
qed
moreover
from bsia_one v'_notin_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ ?DELTA1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
from bsia_two four have "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
by simp
moreover
note bsia_three
moreover
have "?DELTA1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
proof -
from validV2 Suc(7) δ2''_is_xs_c'_ν have "c' ∈ E⇘ES2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with c'_in_E1 c'_in_Cv1_inter_Upsilon1 δ2''_is_xs_c'_ν νE1_empty six
show ?thesis
by (simp only: projection_concatenation_commute projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E1α1'_in_Tr1 α1'Cv1_empty cδ2''E1_in_Cv1_inter_Upsilon1star
c_in_Cv_inter_Upsilon δ2''_in_N2_inter_Delta2star Adm]
show ?thesis
by blast
qed
then obtain α1'' δ1''
where α1''_in_E1star: "set α1'' ⊆ E⇘ES1⇙"
and δ1''_in_N1_inter_Delta1star:"set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙ ∩ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and βE1_cE1_δ1''_v'E1_α1''_in_Tr1:
"β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_α1'Vv1: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
and δ1''E2_is_δ2''E1: "δ1'' ↿ E⇘ES2⇙ = δ2'' ↿ E⇘ES1⇙"
by blast
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 βE2_cE2_δ2''_v'E2_α2''_in_Tr2 validES1
validES2
have δ1''_in_E1star: "set δ1'' ⊆ E⇘ES1⇙" and δ2''_in_E2star: "set δ2'' ⊆ E⇘ES2⇙"
by (simp_all add: ES_valid_def traces_contain_events_def, auto)
with δ1''E2_is_δ2''E1 merge_property[of δ1'' "E⇘ES1⇙" δ2'' "E⇘ES2⇙"] obtain δ'
where δ'E1_is_δ1'': "δ' ↿ E⇘ES1⇙ = δ1''"
and δ'E2_is_δ2'': "δ' ↿ E⇘ES2⇙ = δ2''"
and δ'_contains_only_δ1''_δ2''_events: "set δ' ⊆ set δ1'' ∪ set δ2''"
unfolding Let_def
by auto
let ?TAU = "β @ [c] @ δ' @ [v']"
let ?LAMBDA = "α ↿ V⇘𝒱⇙"
let ?T1 = α1''
let ?T2 = α2''
have "?TAU ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1'' validES1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ' ↿ E⇘ES1⇙ @ [v'] ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: projection_def, auto)
moreover
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2'' validES2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ' ↿ E⇘ES2⇙ @ [v'] ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: projection_def, auto)
moreover
from βv'α_in_Tr c_in_Cv_inter_Upsilon VIsViewOnE δ'_contains_only_δ1''_δ2''_events
δ1''_in_E1star δ2''_in_E2star
have "set (β @ [c] @ δ' @ [v']) ⊆ E⇘ES1⇙ ∪ E⇘ES2⇙"
unfolding composeES_def isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def
by auto
ultimately show ?thesis
unfolding composeES_def
by auto
qed
hence "set ?TAU ⊆ E⇘(ES1 ∥ ES2)⇙"
unfolding composeES_def
by auto
moreover
have "set ?LAMBDA ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
note α1''_in_E1star α2''_in_E2star
moreover
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1''
have "?TAU ↿ E⇘ES1⇙ @ ?T1 ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2''
have "?TAU ↿ E⇘ES2⇙ @ ?T2 ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
have "?LAMBDA ↿ E⇘ES1⇙ = ?T1 ↿ V⇘𝒱⇙"
proof -
from propSepViews have "?LAMBDA ↿ E⇘ES1⇙ = α ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def by (simp only: projection_sequence)
moreover
from α1''_in_E1star propSepViews
have "?T1 ↿ V⇘𝒱⇙ = ?T1 ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α1'Vv1_is_αVv1 α1''Vv1_is_α1'Vv1
ultimately show ?thesis
by simp
qed
moreover
have "?LAMBDA ↿ E⇘ES2⇙ = ?T2 ↿ V⇘𝒱⇙"
proof -
from propSepViews have "?LAMBDA ↿ E⇘ES2⇙ = α ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def by (simp only: projection_sequence)
moreover
from α2''_in_E2star propSepViews have "?T2 ↿ V⇘𝒱⇙ = ?T2 ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α2'Vv2_is_αVv2 α2''Vv2_is_α2'Vv2
ultimately show ?thesis
by simp
qed
moreover
note α1''Cv1_empty α2''Cv2_empty generalized_zipping_lemma
ultimately obtain t
where "?TAU @ t ∈ Tr⇘(ES1 ∥ ES2)⇙"
and "t ↿ V⇘𝒱⇙ = ?LAMBDA"
and "t ↿ C⇘𝒱⇙ = []"
by blast
moreover
have "set δ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙"
proof -
from δ'_contains_only_δ1''_δ2''_events δ1''_in_N1_inter_Delta1star
δ2''_in_N2_inter_Delta2star
have "set δ' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∪ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with Delta1_N1_Delta2_N2_subset_Delta Nv1_union_Nv2_subsetof_Nv
show ?thesis
by auto
qed
ultimately have "∃α' γ'. (set γ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙ ∧ β @ [c] @ γ' @ [v'] @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by (simp only: append_assoc, blast)
}
moreover {
assume Nv2_inter_Delta2_inter_E1_empty: "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ E⇘ES1⇙ = {}"
and Nv1_inter_Delta1_inter_E2_subsetof_Upsilon2: "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ Υ⇘Γ2⇙"
let ?ALPHA1''_DELTA1'' = "∃ α1'' δ1''. (
set α1'' ⊆ E⇘ES1⇙ ∧ set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙
∧ α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙ ∧ α1'' ↿ C⇘𝒱1⇙ = [])"
from c_in_Cv_inter_Upsilon v'_in_Vv_inter_Nabla validV1
have "c ∉ E⇘ES1⇙ ∨ (c ∈ E⇘ES1⇙ ∧ v' ∉ E⇘ES1⇙) ∨ (c ∈ E⇘ES1⇙ ∧ v' ∈ E⇘ES1⇙)"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def)
moreover {
assume c_notin_E1: "c ∉ E⇘ES1⇙"
from validES1 βv'E1α1'_in_Tr1 have "set α1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from βv'E1α1'_in_Tr1 c_notin_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
have "α1' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙" ..
moreover
note α1'Cv1_empty
ultimately have ?ALPHA1''_DELTA1''
by blast
}
moreover {
assume c_in_E1: "c ∈ E⇘ES1⇙"
and v'_notin_E1: "v' ∉ E⇘ES1⇙"
from c_in_E1 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E1_subset_Upsilon1
have c_in_Cv1_inter_Upsilon1: "c ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def by auto
hence "c ∈ C⇘𝒱1⇙"
by auto
moreover
from βv'E1α1'_in_Tr1 v'_notin_E1 have "β ↿ E⇘ES1⇙ @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note α1'Cv1_empty
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ (β ↿ E⇘ES1⇙) c"
proof -
from Adm obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_in_E1 γc_in_Tr have "(γ ↿ E⇘ES1⇙) @ [c] ∈ Tr⇘ES1⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1) = β ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES1⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES1⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ1v1_subset_ρv_inter_E1 have "γ ↿ (ρ1 𝒱1) = β ↿ (ρ1 𝒱1)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note BSIA1
ultimately obtain α1''
where one: "β ↿ E⇘ES1⇙ @ [c] @ α1'' ∈ Tr⇘ES1⇙"
and two: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and three: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding BSIA_def
by blast
from one validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from one c_in_E1 v'_notin_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ [] @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note two three
ultimately have ?ALPHA1''_DELTA1''
by blast
}
moreover {
assume c_in_E1: "c ∈ E⇘ES1⇙"
and v'_in_E1: "v' ∈ E⇘ES1⇙"
from c_in_E1 c_in_Cv_inter_Upsilon propSepViews
Upsilon_inter_E1_subset_Upsilon1
have c_in_Cv1_inter_Upsilon1: "c ∈ C⇘𝒱1⇙ ∩ Υ⇘Γ1⇙"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E1 propSepViews v'_in_Vv_inter_Nabla
Nabla_inter_E1_subset_Nabla1
have "v' ∈ V⇘𝒱1⇙ ∩ Nabla Γ1"
unfolding properSeparationOfViews_def by auto
moreover
from v'_in_E1 βv'E1α1'_in_Tr1 have "β ↿ E⇘ES1⇙ @ [v'] @ α1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note α1'Cv1_empty
moreover
have "Adm 𝒱1 ρ1 Tr⇘ES1⇙ (β ↿ E⇘ES1⇙) c"
proof -
from Adm obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_in_E1 γc_in_Tr have "(γ ↿ E⇘ES1⇙) @ [c] ∈ Tr⇘ES1⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1) = β ↿ E⇘ES1⇙ ↿ (ρ1 𝒱1)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES1⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES1⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ1v1_subset_ρv_inter_E1 have "γ ↿ (ρ1 𝒱1) = β ↿ (ρ1 𝒱1)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note FCIA1
ultimately obtain α1'' δ1''
where one: "set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and two: "β ↿ E⇘ES1⇙ @ [c] @ δ1'' @ [v'] @ α1'' ∈ Tr⇘ES1⇙"
and three: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and four: "α1'' ↿ C⇘𝒱1⇙ = []"
unfolding FCIA_def
by blast
from two validES1 have "set α1'' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
note one
moreover
from two c_in_E1 v'_in_E1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
note three four
ultimately have ?ALPHA1''_DELTA1''
by blast
}
ultimately obtain α1'' δ1''
where α1''_in_E1star: "set α1'' ⊆ E⇘ES1⇙"
and δ1''_in_N1_inter_Delta1star:"set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and βE1_cE1_δ1''_v'E1_α1''_in_Tr1:
"β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ1'' @ [v'] ↿ E⇘ES1⇙ @ α1'' ∈ Tr⇘ES1⇙"
and α1''Vv1_is_α1'Vv1: "α1'' ↿ V⇘𝒱1⇙ = α1' ↿ V⇘𝒱1⇙"
and α1''Cv1_empty: "α1'' ↿ C⇘𝒱1⇙ = []"
by blast
from c_in_Cv_inter_Upsilon Upsilon_inter_E2_subset_Upsilon2 propSepViews
have cE2_in_Cv2_inter_Upsilon2: "set ([c] ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def by (simp add: projection_def, auto)
from δ1''_in_N1_inter_Delta1star Nv1_inter_Delta1_inter_E2_subsetof_Upsilon2
propSepViews disjoint_Nv1_Vv2
have δ1''E2_in_Cv2_inter_Upsilon2star: "set (δ1'' ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
from δ1''_in_N1_inter_Delta1star
have eq: "δ1'' ↿ E⇘ES2⇙ = δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙)"
by (metis Int_commute Int_left_commute Int_lower2 Int_lower1
projection_intersection_neutral subset_trans)
from validV2 Nv1_inter_Delta1_inter_E2_subsetof_Upsilon2
propSepViews disjoint_Nv1_Vv2
have "N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES2⇙ ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
unfolding properSeparationOfViews_def
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (subst eq, simp only: projection_def, auto)
qed
have cδ1''E2_in_Cv2_inter_Upsilon2star: "set ((c # δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
from cE2_in_Cv2_inter_Upsilon2 δ1''E2_in_Cv2_inter_Upsilon2star
have "set (([c] @ δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp only: projection_concatenation_commute, auto)
thus ?thesis
by auto
qed
have "∃ α2'' δ2''. set α2'' ⊆ E⇘ES2⇙
∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []
∧ δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
proof cases
assume v'_in_E2: "v' ∈ E⇘ES2⇙"
with Nabla_inter_E2_subset_Nabla2 propSepViews v'_in_Vv_inter_Nabla
have v'_in_Vv2_inter_Nabla2: "v' ∈ V⇘𝒱2⇙ ∩ Nabla Γ2"
unfolding properSeparationOfViews_def by auto
have "⟦ (β @ [v']) ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙ ;
α2' ↿ C⇘𝒱2⇙ = []; set ((c # δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ;
c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ; set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙;
Adm 𝒱 ρ (Tr⇘(ES1 ∥ ES2)⇙) β c ⟧
⟹ ∃ α2'' δ2''.
(set α2'' ⊆ E⇘ES2⇙ ∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []
∧ δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙)"
proof (induct "length ((c # δ1'') ↿ E⇘ES2⇙)" arbitrary: β α2' c δ1'')
case 0
from 0(2) validES2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES2⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α2' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E2: "c' ∈ E⇘ES2⇙"
and cδ1''_is_μc'ν: "c # δ1'' = μ @ [c'] @ ν"
and νE2_empty: "ν ↿ E⇘ES2⇙ = []"
and n_is_length_μνE2: "n = length ((μ @ ν) ↿ E⇘ES2⇙)"
by blast
from Suc(5) c'_in_E2 cδ1''_is_μc'ν have "set (μ ↿ E⇘ES2⇙ @ [c']) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp only: cδ1''_is_μc'ν projection_concatenation_commute
projection_def, auto)
hence c'_in_Cv2_inter_Upsilon2: "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by auto
hence c'_in_Cv2: "c' ∈ C⇘𝒱2⇙" and c'_in_Upsilon2: "c' ∈ Υ⇘Γ2⇙"
by auto
with validV2 have c'_in_E2: "c' ∈ E⇘ES2⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ1''_is_μc'ν have c_is_c': "c = c'" and δ1''_is_ν: "δ1'' = ν"
by auto
with c'_in_Cv2_inter_Upsilon2 have "c ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by simp
moreover
note v'_in_Vv2_inter_Nabla2
moreover
from v'_in_E2 Suc(3) have "(β ↿ E⇘ES2⇙) @ [v'] @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4)
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ (β ↿ E⇘ES2⇙) c"
proof -
from Suc(8) obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_is_c' c'_in_E2 γc_in_Tr have "(γ ↿ E⇘ES2⇙) @ [c] ∈ Tr⇘ES2⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2) = β ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES2⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES2⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ2v2_subset_ρv_inter_E2 have "γ ↿ (ρ2 𝒱2) = β ↿ (ρ2 𝒱2)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note FCIA2
ultimately obtain α2'' γ
where one: "set γ ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and two: "β ↿ E⇘ES2⇙ @ [c] @ γ @ [v'] @ α2'' ∈ Tr⇘ES2⇙"
and three: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and four: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCIA_def
by blast
let ?DELTA2'' = "ν ↿ E⇘ES2⇙ @ γ"
from two validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from one νE2_empty
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
proof -
from c_is_c' c'_in_E2 have "[c] = [c] ↿ E⇘ES2⇙"
by (simp add: projection_def)
moreover
from v'_in_E2 have "[v'] = [v'] ↿ E⇘ES2⇙"
by (simp add: projection_def)
moreover
note νE2_empty two
ultimately show ?thesis
by auto
qed
moreover
note three four
moreover
have "?DELTA2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
proof -
have "γ ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = []"
proof -
from validV2 have "N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∩ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = {}"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with projection_intersection_neutral[OF one, of "C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"]
show ?thesis
by (simp add: projection_def)
qed
with δ1''_is_ν νE2_empty show ?thesis
by (simp add: projection_concatenation_commute)
qed
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ1''_is_μc'ν
have μ_is_c_xs: "μ = [c] @ xs" and δ1''_is_xs_c'_ν: "δ1'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE2 have "n = length ((c # (xs @ ν)) ↿ E⇘ES2⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ1''_is_μc'ν μ_is_c_xs νE2_empty
show ?thesis
by (subst res, simp only: cδ1''_is_μc'ν
projection_concatenation_commute set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ1''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover note Suc(8) Suc(1)[of c "xs @ ν" β α2']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES2⇙"
and two: "set γ ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and three: "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ @ [v'] ↿ E⇘ES2⇙ @ δ ∈ Tr⇘ES2⇙"
and four: "δ ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and five: "δ ↿ C⇘𝒱2⇙ = []"
and six: "γ ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = (xs @ ν) ↿ E⇘ES2⇙"
by blast
let ?BETA = "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ"
note c'_in_Cv2_inter_Upsilon2 v'_in_Vv2_inter_Nabla2
moreover
from three v'_in_E2 have "?BETA @ [v'] @ δ ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note five
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ ?BETA c'"
proof -
have "?BETA @ [c'] ∈ Tr⇘ES2⇙"
proof -
from Suc(7) c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν
have "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from validES2 three have "?BETA ∈ Tr⇘ES2⇙"
by (unfold ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def, auto)
moreover
note total_ES2_C2_inter_Upsilon2_inter_N1_inter_Delta1
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note FCIA2
ultimately obtain α2'' δ'
where fcia_one: "set δ' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
and fcia_two: "?BETA @ [c'] @ δ' @ [v'] @ α2'' ∈ Tr⇘ES2⇙"
and fcia_three: "α2'' ↿ V⇘𝒱2⇙ = δ ↿ V⇘𝒱2⇙"
and fcia_four: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding FCIA_def
by blast
let ?DELTA2'' = "γ @ [c'] @ δ'"
from fcia_two validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
proof -
from Suc(7) c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν
have "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with two fcia_one show ?thesis
by auto
qed
moreover
from fcia_two v'_in_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
from fcia_three four have "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
by simp
moreover
note fcia_four
moreover
have "?DELTA2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
proof -
have "δ' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = []"
proof -
from fcia_one have "∀ e ∈ set δ'. e ∈ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙"
by auto
with validV2 have "∀ e ∈ set δ'. e ∉ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp add:isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
thus ?thesis
by (simp add: projection_def)
qed
with c'_in_E2 c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν νE2_empty six
show ?thesis
by (simp only: projection_concatenation_commute projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E2α2'_in_Tr2 α2'Cv2_empty
cδ1''E2_in_Cv2_inter_Upsilon2star c_in_Cv_inter_Upsilon δ1''_in_N1_inter_Delta1star Adm]
obtain α2'' δ2''
where one: "set α2'' ⊆ E⇘ES2⇙"
and two: "set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and three: "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []"
and four: "δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) = δ1'' ↿ E⇘ES2⇙"
by blast
note one two three
moreover
have "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
proof -
from projection_intersection_neutral[OF two, of "E⇘ES1⇙"]
Nv2_inter_Delta2_inter_E1_empty validV1
have "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES1⇙)"
by (simp only: Int_Un_distrib2, auto)
moreover
from validV1
have "C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙ ∩ E⇘ES1⇙ = C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by (simp add: isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
ultimately have "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by simp
hence "δ2'' ↿ E⇘ES1⇙ = δ2'' ↿ (C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙) ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by (simp add: projection_def)
with four have "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙ ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙)"
by simp
hence "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ (N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙) ↿ E⇘ES2⇙"
by (simp only: projection_commute)
with δ1''_in_N1_inter_Delta1star show ?thesis
by (simp only: list_subset_iff_projection_neutral)
qed
ultimately show ?thesis
by blast
next
assume v'_notin_E2: "v' ∉ E⇘ES2⇙"
have "⟦ (β @ [v']) ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙ ;
α2' ↿ C⇘𝒱2⇙ = []; set ((c # δ1'') ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ;
c ∈ C⇘𝒱⇙ ∩ Υ⇘Γ⇙ ; set δ1'' ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙;
Adm 𝒱 ρ (Tr⇘(ES1 ∥ ES2)⇙) β c ⟧
⟹ ∃ α2'' δ2''.
(set α2'' ⊆ E⇘ES2⇙ ∧ set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙
∧ β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙
∧ α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙ ∧ α2'' ↿ C⇘𝒱2⇙ = []
∧ δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙)"
proof (induct "length ((c # δ1'') ↿ E⇘ES2⇙)" arbitrary: β α2' c δ1'')
case 0
from 0(2) validES2 have "set α2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set [] ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ [] @ [v'] ↿ E⇘ES2⇙ @ α2' ∈ Tr⇘ES2⇙"
proof -
note 0(2)
moreover
from 0(1) have "c ∉ E⇘ES2⇙"
by (simp add: projection_def, auto)
ultimately show ?thesis
by (simp add: projection_concatenation_commute projection_def)
qed
moreover
have "α2' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙" ..
moreover
note 0(3)
moreover
from 0(1) have "[] ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
by (simp add: projection_def, split if_split_asm, auto)
ultimately show ?case
by blast
next
case (Suc n)
from projection_split_last[OF Suc(2)] obtain μ c' ν
where c'_in_E2: "c' ∈ E⇘ES2⇙"
and cδ1''_is_μc'ν: "c # δ1'' = μ @ [c'] @ ν"
and νE2_empty: "ν ↿ E⇘ES2⇙ = []"
and n_is_length_μνE2: "n = length ((μ @ ν) ↿ E⇘ES2⇙)"
by blast
from Suc(5) c'_in_E2 cδ1''_is_μc'ν have "set (μ ↿ E⇘ES2⇙ @ [c']) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by (simp only: cδ1''_is_μc'ν projection_concatenation_commute projection_def, auto)
hence c'_in_Cv2_inter_Upsilon2: "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
by auto
hence c'_in_Cv2: "c' ∈ C⇘𝒱2⇙" and c'_in_Upsilon2: "c' ∈ Υ⇘Γ2⇙"
by auto
with validV2 have c'_in_E2: "c' ∈ E⇘ES2⇙"
by (simp add:isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
show ?case
proof (cases μ)
case Nil
with cδ1''_is_μc'ν have c_is_c': "c = c'" and δ1''_is_ν: "δ1'' = ν"
by auto
with c'_in_Cv2_inter_Upsilon2 have "c ∈ C⇘𝒱2⇙"
by simp
moreover
from v'_notin_E2 Suc(3) have "(β ↿ E⇘ES2⇙) @ α2' ∈ Tr⇘ES2⇙"
by (simp add: projection_concatenation_commute projection_def)
moreover
note Suc(4)
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ (β ↿ E⇘ES2⇙) c"
proof -
from Suc(8) obtain γ
where γρv_is_βρv: "γ ↿ (ρ 𝒱) = β ↿ (ρ 𝒱)"
and γc_in_Tr: "(γ @ [c]) ∈ Tr⇘(ES1 ∥ ES2)⇙"
unfolding Adm_def
by auto
from c_is_c' c'_in_E2 γc_in_Tr have "(γ ↿ E⇘ES2⇙) @ [c] ∈ Tr⇘ES2⇙"
by (simp add: projection_def composeES_def)
moreover
have "γ ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2) = β ↿ E⇘ES2⇙ ↿ (ρ2 𝒱2)"
proof -
from γρv_is_βρv have "γ ↿ E⇘ES2⇙ ↿ (ρ 𝒱) = β ↿ E⇘ES2⇙ ↿ (ρ 𝒱)"
by (metis projection_commute)
with ρ2v2_subset_ρv_inter_E2
have "γ ↿ (ρ2 𝒱2) = β ↿ (ρ2 𝒱2)"
by (metis Int_subset_iff γρv_is_βρv projection_subset_elim)
thus ?thesis
by (metis projection_commute)
qed
ultimately show ?thesis unfolding Adm_def
by auto
qed
moreover
note BSIA2
ultimately obtain α2''
where one: "(β ↿ E⇘ES2⇙) @ [c] @ α2'' ∈ Tr⇘ES2⇙"
and two: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and three: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA2'' = "ν ↿ E⇘ES2⇙"
from one validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from νE2_empty
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by simp
moreover
from c_is_c' c'_in_E2 one v'_notin_E2 νE2_empty
have "(β ↿ E⇘ES2⇙) @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note two three
moreover
from νE2_empty δ1''_is_ν have "?DELTA2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
by (simp add: projection_def)
ultimately show ?thesis
by blast
next
case (Cons x xs)
with cδ1''_is_μc'ν have μ_is_c_xs: "μ = [c] @ xs"
and δ1''_is_xs_c'_ν: "δ1'' = xs @ [c'] @ ν"
by auto
with n_is_length_μνE2 have "n = length ((c # (xs @ ν)) ↿ E⇘ES2⇙)"
by auto
moreover
note Suc(3,4)
moreover
have "set ((c # (xs @ ν)) ↿ E⇘ES2⇙) ⊆ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙"
proof -
have res: "c # (xs @ ν) = [c] @ (xs @ ν)"
by auto
from Suc(5) cδ1''_is_μc'ν μ_is_c_xs νE2_empty
show ?thesis
by (subst res, simp only: cδ1''_is_μc'ν
projection_concatenation_commute set_append, auto)
qed
moreover
note Suc(6)
moreover
from Suc(7) δ1''_is_xs_c'_ν have "set (xs @ ν) ⊆ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover note Suc(8) Suc(1)[of c "xs @ ν" β α2']
ultimately obtain δ γ
where one: "set δ ⊆ E⇘ES2⇙"
and two: "set γ ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and three: "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ @ [v'] ↿ E⇘ES2⇙ @ δ ∈ Tr⇘ES2⇙"
and four: "δ ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and five: "δ ↿ C⇘𝒱2⇙ = []"
and six: "γ ↿ E⇘ES1⇙ = (xs @ ν) ↿ E⇘ES2⇙"
by blast
let ?BETA = "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ γ"
from c'_in_Cv2_inter_Upsilon2 have "c' ∈ C⇘𝒱2⇙"
by auto
moreover
from three v'_notin_E2 have "?BETA @ δ ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
note five
moreover
have "Adm 𝒱2 ρ2 Tr⇘ES2⇙ ?BETA c'"
proof -
have "?BETA @ [c'] ∈ Tr⇘ES2⇙"
proof -
from Suc(7) c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν
have "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
moreover
from validES2 three have "?BETA ∈ Tr⇘ES2⇙"
by (unfold ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def, auto)
moreover
note total_ES2_C2_inter_Upsilon2_inter_N1_inter_Delta1
ultimately show ?thesis
unfolding total_def
by blast
qed
thus ?thesis
unfolding Adm_def
by blast
qed
moreover
note BSIA2
ultimately obtain α2''
where bsia_one: "?BETA @ [c'] @ α2'' ∈ Tr⇘ES2⇙"
and bsia_two: "α2'' ↿ V⇘𝒱2⇙ = δ ↿ V⇘𝒱2⇙"
and bsia_three: "α2'' ↿ C⇘𝒱2⇙ = []"
unfolding BSIA_def
by blast
let ?DELTA2'' = "γ @ [c']"
from bsia_one validES2 have "set α2'' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
have "set ?DELTA2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
proof -
from Suc(7) c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν
have "c' ∈ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with two show ?thesis
by auto
qed
moreover
from bsia_one v'_notin_E2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ ?DELTA2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
from bsia_two four have "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
by simp
moreover
note bsia_three
moreover
have "?DELTA2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
proof -
from validV1 Suc(7) δ1''_is_xs_c'_ν have "c' ∈ E⇘ES1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
with c'_in_E2 c'_in_Cv2_inter_Upsilon2 δ1''_is_xs_c'_ν νE2_empty six
show ?thesis
by (simp only: projection_concatenation_commute projection_def, auto)
qed
ultimately show ?thesis
by blast
qed
qed
from this[OF βv'E2α2'_in_Tr2 α2'Cv2_empty cδ1''E2_in_Cv2_inter_Upsilon2star
c_in_Cv_inter_Upsilon δ1''_in_N1_inter_Delta1star Adm]
show ?thesis
by blast
qed
then obtain α2'' δ2''
where α2''_in_E2star: "set α2'' ⊆ E⇘ES2⇙"
and δ2''_in_N2_inter_Delta2star:"set δ2'' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ C⇘𝒱2⇙ ∩ Υ⇘Γ2⇙ ∩ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
and βE2_cE2_δ2''_v'E2_α2''_in_Tr2:
"β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ2'' @ [v'] ↿ E⇘ES2⇙ @ α2'' ∈ Tr⇘ES2⇙"
and α2''Vv2_is_α2'Vv2: "α2'' ↿ V⇘𝒱2⇙ = α2' ↿ V⇘𝒱2⇙"
and α2''Cv2_empty: "α2'' ↿ C⇘𝒱2⇙ = []"
and δ2''E1_is_δ1''E2: "δ2'' ↿ E⇘ES1⇙ = δ1'' ↿ E⇘ES2⇙"
by blast
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 βE1_cE1_δ1''_v'E1_α1''_in_Tr1
validES2 validES1
have δ2''_in_E2star: "set δ2'' ⊆ E⇘ES2⇙" and δ1''_in_E1star: "set δ1'' ⊆ E⇘ES1⇙"
by (simp_all add: ES_valid_def traces_contain_events_def, auto)
with δ2''E1_is_δ1''E2 merge_property[of δ2'' "E⇘ES2⇙" δ1'' "E⇘ES1⇙"] obtain δ'
where δ'E2_is_δ2'': "δ' ↿ E⇘ES2⇙ = δ2''"
and δ'E1_is_δ1'': "δ' ↿ E⇘ES1⇙ = δ1''"
and δ'_contains_only_δ2''_δ1''_events: "set δ' ⊆ set δ2'' ∪ set δ1''"
unfolding Let_def
by auto
let ?TAU = "β @ [c] @ δ' @ [v']"
let ?LAMBDA = "α ↿ V⇘𝒱⇙"
let ?T2 = α2''
let ?T1 = α1''
have "?TAU ∈ Tr⇘(ES1 ∥ ES2)⇙"
proof -
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2'' validES2
have "β ↿ E⇘ES2⇙ @ [c] ↿ E⇘ES2⇙ @ δ' ↿ E⇘ES2⇙ @ [v'] ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
by (simp add: projection_def, auto)
moreover
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1'' validES1
have "β ↿ E⇘ES1⇙ @ [c] ↿ E⇘ES1⇙ @ δ' ↿ E⇘ES1⇙ @ [v'] ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: ES_valid_def traces_prefixclosed_def
prefixclosed_def prefix_def)
hence "(β @ [c] @ δ' @ [v']) ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
by (simp add: projection_def, auto)
moreover
from βv'α_in_Tr c_in_Cv_inter_Upsilon VIsViewOnE
δ'_contains_only_δ2''_δ1''_events δ2''_in_E2star δ1''_in_E1star
have "set (β @ [c] @ δ' @ [v']) ⊆ E⇘ES2⇙ ∪ E⇘ES1⇙"
unfolding composeES_def isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def
by auto
ultimately show ?thesis
unfolding composeES_def
by auto
qed
hence "set ?TAU ⊆ E⇘(ES1 ∥ ES2)⇙"
unfolding composeES_def
by auto
moreover
have "set ?LAMBDA ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
note α2''_in_E2star α1''_in_E1star
moreover
from βE2_cE2_δ2''_v'E2_α2''_in_Tr2 δ'E2_is_δ2''
have "?TAU ↿ E⇘ES2⇙ @ ?T2 ∈ Tr⇘ES2⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
from βE1_cE1_δ1''_v'E1_α1''_in_Tr1 δ'E1_is_δ1''
have "?TAU ↿ E⇘ES1⇙ @ ?T1 ∈ Tr⇘ES1⇙"
by (simp only: projection_concatenation_commute, auto)
moreover
have "?LAMBDA ↿ E⇘ES2⇙ = ?T2 ↿ V⇘𝒱⇙"
proof -
from propSepViews have "?LAMBDA ↿ E⇘ES2⇙ = α ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def by (simp only: projection_sequence)
moreover
from α2''_in_E2star propSepViews have "?T2 ↿ V⇘𝒱⇙ = ?T2 ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α2'Vv2_is_αVv2 α2''Vv2_is_α2'Vv2
ultimately show ?thesis
by simp
qed
moreover
have "?LAMBDA ↿ E⇘ES1⇙ = ?T1 ↿ V⇘𝒱⇙"
proof -
from propSepViews have "?LAMBDA ↿ E⇘ES1⇙ = α ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def by (simp only: projection_sequence)
moreover
from α1''_in_E1star propSepViews have "?T1 ↿ V⇘𝒱⇙ = ?T1 ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (metis Int_commute projection_intersection_neutral)
moreover
note α1'Vv1_is_αVv1 α1''Vv1_is_α1'Vv1
ultimately show ?thesis
by simp
qed
moreover
note α2''Cv2_empty α1''Cv1_empty generalized_zipping_lemma
ultimately obtain t
where "?TAU @ t ∈ Tr⇘(ES1 ∥ ES2)⇙"
and "t ↿ V⇘𝒱⇙ = ?LAMBDA"
and "t ↿ C⇘𝒱⇙ = []"
by blast
moreover
have "set δ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙"
proof -
from δ'_contains_only_δ2''_δ1''_events
δ2''_in_N2_inter_Delta2star δ1''_in_N1_inter_Delta1star
have "set δ' ⊆ N⇘𝒱2⇙ ∩ Δ⇘Γ2⇙ ∪ N⇘𝒱1⇙ ∩ Δ⇘Γ1⇙"
by auto
with Delta1_N1_Delta2_N2_subset_Delta Nv1_union_Nv2_subsetof_Nv show ?thesis
by auto
qed
ultimately have "∃α' γ'. (set γ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙ ∧ β @ [c] @ γ' @ [v'] @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by (simp only: append_assoc, blast)
}
ultimately have "∃α' γ'. (set γ' ⊆ N⇘𝒱⇙ ∩ Δ⇘Γ⇙ ∧ β @ [c] @ γ' @ [v'] @ α' ∈ Tr⇘(ES1 ∥ ES2)⇙
∧ α' ↿ V⇘𝒱⇙ = α ↿ V⇘𝒱⇙ ∧ α' ↿ C⇘𝒱⇙ = [])"
by blast
}
thus ?thesis
unfolding FCIA_def
by blast
qed
theorem compositionality_R:
"⟦ R 𝒱1 Tr⇘ES1⇙; R 𝒱2 Tr⇘ES2⇙ ⟧ ⟹ R 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume R1: "R 𝒱1 Tr⇘ES1⇙"
and R2: "R 𝒱2 Tr⇘ES2⇙"
{
fix τ'
assume τ'_in_Tr: "τ' ∈ Tr⇘(ES1 ∥ ES2)⇙"
hence τ'E1_in_Tr1: "τ' ↿ E⇘ES1⇙ ∈ Tr⇘ES1⇙"
and τ'E2_in_Tr2: "τ' ↿ E⇘ES2⇙ ∈ Tr⇘ES2⇙"
unfolding composeES_def
by auto
with R1 R2 obtain τ1' τ2'
where τ1'_in_Tr1: "τ1' ∈ Tr⇘ES1⇙"
and τ1'Cv1_empty: "τ1' ↿ C⇘𝒱1⇙ = []"
and τ1'Vv1_is_τ'_E1_Vv1: "τ1' ↿ V⇘𝒱1⇙ = τ' ↿ E⇘ES1⇙ ↿ V⇘𝒱1⇙"
and τ2'_in_Tr2: "τ2' ∈ Tr⇘ES2⇙"
and τ2'Cv2_empty: "τ2' ↿ C⇘𝒱2⇙ = []"
and τ2'Vv2_is_τ'_E2_Vv2: "τ2' ↿ V⇘𝒱2⇙ = τ' ↿ E⇘ES2⇙ ↿ V⇘𝒱2⇙"
unfolding R_def
by blast
have "set [] ⊆ E⇘(ES1 ∥ ES2)⇙"
by auto
moreover
have "set (τ' ↿ V⇘𝒱⇙) ⊆ V⇘𝒱⇙"
by (simp add: projection_def, auto)
moreover
from validES1 τ1'_in_Tr1 have τ1'_in_E1: "set τ1' ⊆ E⇘ES1⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from validES2 τ2'_in_Tr2 have τ2'_in_E2: "set τ2' ⊆ E⇘ES2⇙"
by (simp add: ES_valid_def traces_contain_events_def, auto)
moreover
from τ1'_in_Tr1 have "[] ↿ E⇘ES1⇙ @ τ1' ∈ Tr⇘ES1⇙"
by (simp add: projection_def)
moreover
from τ2'_in_Tr2 have "[] ↿ E⇘ES2⇙ @ τ2' ∈ Tr⇘ES2⇙"
by (simp add: projection_def)
moreover
have "τ' ↿ V⇘𝒱⇙ ↿ E⇘ES1⇙ = τ1' ↿ V⇘𝒱⇙"
proof -
from projection_intersection_neutral[OF τ1'_in_E1, of "V⇘𝒱⇙"] propSepViews
have "τ1' ↿ V⇘𝒱⇙ = τ1' ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (simp add: Int_commute)
moreover
from propSepViews have "τ' ↿ V⇘𝒱⇙ ↿ E⇘ES1⇙ = τ' ↿ V⇘𝒱1⇙"
unfolding properSeparationOfViews_def
by (simp add: projection_sequence)
moreover {
have " τ' ↿ E⇘ES1⇙ ↿ V⇘𝒱1⇙ = τ' ↿ (E⇘ES1⇙ ∩ V⇘𝒱1⇙)"
by (simp add: projection_def)
moreover
from validV1 have "E⇘ES1⇙ ∩ V⇘𝒱1⇙ = V⇘𝒱1⇙"
by (simp add: isViewOn_def V_valid_def
VC_disjoint_def VN_disjoint_def NC_disjoint_def, auto)
ultimately have "τ' ↿ E⇘ES1⇙ ↿ V⇘𝒱1⇙ = τ' ↿ V⇘𝒱1⇙"
by simp
}
moreover
note τ1'Vv1_is_τ'_E1_Vv1
ultimately show ?thesis
by simp
qed
moreover
have "τ' ↿ V⇘𝒱⇙ ↿ E⇘ES2⇙ = τ2' ↿ V⇘𝒱⇙"
proof -
from projection_intersection_neutral[OF τ2'_in_E2, of "V⇘𝒱⇙"] propSepViews
have "τ2' ↿ V⇘𝒱⇙ = τ2' ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def
by (simp add: Int_commute)
moreover
from propSepViews have "τ' ↿ V⇘𝒱⇙ ↿ E⇘ES2⇙ = τ' ↿ V⇘𝒱2⇙"
unfolding properSeparationOfViews_def
by (simp add: projection_sequence)
moreover {
have " τ' ↿ E⇘ES2⇙ ↿ V⇘𝒱2⇙ = τ' ↿ (E⇘ES2⇙ ∩ V⇘𝒱2⇙)"
by (simp add: projection_def)
moreover
from validV2 have "E⇘ES2⇙ ∩ V⇘𝒱2⇙ = V⇘𝒱2⇙"
by (simp add:isViewOn_def V_valid_def VC_disjoint_def
VN_disjoint_def NC_disjoint_def, auto)
ultimately have "τ' ↿ E⇘ES2⇙ ↿ V⇘𝒱2⇙ = τ' ↿ V⇘𝒱2⇙"
by simp
}
moreover
note τ2'Vv2_is_τ'_E2_Vv2
ultimately show ?thesis
by simp
qed
moreover
note τ1'Cv1_empty τ2'Cv2_empty generalized_zipping_lemma
ultimately have "∃t. [] @ t ∈ Tr⇘(ES1 ∥ ES2)⇙ ∧ t ↿ V⇘𝒱⇙ = τ' ↿ V⇘𝒱⇙ ∧ t ↿ C⇘𝒱⇙ = []"
by blast
}
thus ?thesis
unfolding R_def
by auto
qed
end
locale CompositionalityStrictBSPs = Compositionality +
assumes N𝒱_inter_E1_is_N𝒱1: "N⇘𝒱⇙ ∩ E⇘ES1⇙ = N⇘𝒱1⇙"
and N𝒱_inter_E2_is_N𝒱2: "N⇘𝒱⇙ ∩ E⇘ES2⇙ = N⇘𝒱2⇙"
sublocale CompositionalityStrictBSPs ⊆ Compositionality
by (unfold_locales)
context CompositionalityStrictBSPs
begin
theorem compositionality_SR:
"⟦ SR 𝒱1 Tr⇘ES1⇙; SR 𝒱2 Tr⇘ES2⇙ ⟧ ⟹ SR 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume "SR 𝒱1 Tr⇘ES1⇙"
and "SR 𝒱2 Tr⇘ES2⇙"
{
let ?𝒱⇩1'="⦇V = V⇘𝒱1⇙ ∪ N⇘𝒱1⇙, N = {}, C = C⇘𝒱1⇙⦈"
let ?𝒱⇩2'="⦇V = V⇘𝒱2⇙ ∪ N⇘𝒱2⇙, N = {}, C = C⇘𝒱2⇙ ⦈"
let ?𝒱' ="⦇V=V⇘𝒱⇙ ∪ N⇘𝒱⇙, N={}, C=C⇘𝒱⇙ ⦈"
from validV1 have 𝒱⇩1'IsViewOnE⇩1: "isViewOn ?𝒱⇩1' E⇘ES1⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from validV2 have 𝒱⇩2'IsViewOnE⇩2: "isViewOn ?𝒱⇩2' E⇘ES2⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from VIsViewOnE have 𝒱'IsViewOnE: "isViewOn ?𝒱' E⇘(ES1∥ES2)⇙"
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from propSepViews N𝒱_inter_E1_is_N𝒱1
have "V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews N𝒱_inter_E2_is_N𝒱2
have "V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
have "N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}"
by auto
note properSeparation_𝒱⇩1𝒱⇩2=‹V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙› ‹V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙›
‹C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙› ‹C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙› ‹N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}›
have wbc1: "N⇘?𝒱⇩1'⇙ ∩ E⇘ES1⇙={} ∧ N⇘?𝒱⇩2'⇙ ∩ E⇘ES2⇙={}"
by auto
from ‹SR 𝒱1 Tr⇘ES1⇙› have "R ?𝒱⇩1' Tr⇘ES1⇙"
using validES1 validV1 BSPTaxonomyDifferentCorrections.SR_implies_R_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from ‹SR 𝒱2 Tr⇘ES2⇙› have "R ?𝒱⇩2' Tr⇘ES2⇙"
using validES2 validV2 BSPTaxonomyDifferentCorrections.SR_implies_R_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from validES1 validES2 composableES1ES2 𝒱'IsViewOnE 𝒱⇩1'IsViewOnE⇩1 𝒱⇩2'IsViewOnE⇩2
properSeparation_𝒱⇩1𝒱⇩2 wbc1
have "Compositionality ES1 ES2 ?𝒱' ?𝒱⇩1' ?𝒱⇩2'" unfolding Compositionality_def
by (simp add: properSeparationOfViews_def wellBehavedComposition_def)
with ‹R ?𝒱⇩1' Tr⇘ES1⇙› ‹R ?𝒱⇩2' Tr⇘ES2⇙› have "R ?𝒱' Tr⇘(ES1∥ES2)⇙"
using Compositionality.compositionality_R by blast
from validES1 validES2 composeES_yields_ES validVC
have "BSPTaxonomyDifferentCorrections (ES1∥ES2) 𝒱"
unfolding BSPTaxonomyDifferentCorrections_def by auto
with ‹R ?𝒱' Tr⇘(ES1∥ES2)⇙› have "SR 𝒱 Tr⇘(ES1∥ES2)⇙"
using BSPTaxonomyDifferentCorrections.R_implies_SR_for_modified_view by auto
}
thus ?thesis by auto
qed
theorem compositionality_SD:
"⟦ SD 𝒱1 Tr⇘ES1⇙; SD 𝒱2 Tr⇘ES2⇙ ⟧ ⟹ SD 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume "SD 𝒱1 Tr⇘ES1⇙"
and "SD 𝒱2 Tr⇘ES2⇙"
{
let ?𝒱⇩1'="⦇V = V⇘𝒱1⇙ ∪ N⇘𝒱1⇙, N = {}, C = C⇘𝒱1⇙⦈"
let ?𝒱⇩2'="⦇V = V⇘𝒱2⇙ ∪ N⇘𝒱2⇙, N = {}, C = C⇘𝒱2⇙ ⦈"
let ?𝒱' ="⦇V=V⇘𝒱⇙ ∪ N⇘𝒱⇙, N={}, C=C⇘𝒱⇙ ⦈"
from validV1 have 𝒱⇩1'IsViewOnE⇩1: "isViewOn ?𝒱⇩1' E⇘ES1⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from validV2 have 𝒱⇩2'IsViewOnE⇩2: "isViewOn ?𝒱⇩2' E⇘ES2⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from VIsViewOnE have 𝒱'IsViewOnE: "isViewOn ?𝒱' E⇘(ES1∥ES2)⇙"
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from propSepViews N𝒱_inter_E1_is_N𝒱1
have "V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews N𝒱_inter_E2_is_N𝒱2
have "V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
have "N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}"
by auto
note properSeparation_𝒱⇩1𝒱⇩2=‹V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙› ‹V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙›
‹C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙› ‹C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙› ‹N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}›
have wbc1: "N⇘?𝒱⇩1'⇙ ∩ E⇘ES1⇙={} ∧ N⇘?𝒱⇩2'⇙ ∩ E⇘ES2⇙={}"
by auto
from ‹SD 𝒱1 Tr⇘ES1⇙› have "BSD ?𝒱⇩1' Tr⇘ES1⇙"
using validES1 validV1 BSPTaxonomyDifferentCorrections.SD_implies_BSD_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from ‹SD 𝒱2 Tr⇘ES2⇙› have "BSD ?𝒱⇩2' Tr⇘ES2⇙"
using validES2 validV2 BSPTaxonomyDifferentCorrections.SD_implies_BSD_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from validES1 validES2 composableES1ES2 𝒱'IsViewOnE 𝒱⇩1'IsViewOnE⇩1 𝒱⇩2'IsViewOnE⇩2
properSeparation_𝒱⇩1𝒱⇩2 wbc1
have "Compositionality ES1 ES2 ?𝒱' ?𝒱⇩1' ?𝒱⇩2'"
unfolding Compositionality_def
by (simp add: properSeparationOfViews_def wellBehavedComposition_def)
with ‹BSD ?𝒱⇩1' Tr⇘ES1⇙› ‹BSD ?𝒱⇩2' Tr⇘ES2⇙› have "BSD ?𝒱' Tr⇘(ES1∥ES2)⇙"
using Compositionality.compositionality_BSD by blast
from validES1 validES2 composeES_yields_ES validVC
have "BSPTaxonomyDifferentCorrections (ES1∥ES2) 𝒱"
unfolding BSPTaxonomyDifferentCorrections_def by auto
with ‹BSD ?𝒱' Tr⇘(ES1∥ES2)⇙› have "SD 𝒱 Tr⇘(ES1∥ES2)⇙"
using BSPTaxonomyDifferentCorrections.BSD_implies_SD_for_modified_view by auto
}
thus ?thesis by auto
qed
theorem compositionality_SI:
"⟦SD 𝒱1 Tr⇘ES1⇙; SD 𝒱2 Tr⇘ES2⇙; SI 𝒱1 Tr⇘ES1⇙; SI 𝒱2 Tr⇘ES2⇙ ⟧
⟹ SI 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume "SD 𝒱1 Tr⇘ES1⇙"
and "SD 𝒱2 Tr⇘ES2⇙"
and "SI 𝒱1 Tr⇘ES1⇙"
and "SI 𝒱2 Tr⇘ES2⇙"
{
let ?𝒱⇩1'="⦇V = V⇘𝒱1⇙ ∪ N⇘𝒱1⇙, N = {}, C = C⇘𝒱1⇙⦈"
let ?𝒱⇩2'="⦇V = V⇘𝒱2⇙ ∪ N⇘𝒱2⇙, N = {}, C = C⇘𝒱2⇙ ⦈"
let ?𝒱' ="⦇V=V⇘𝒱⇙ ∪ N⇘𝒱⇙, N={}, C=C⇘𝒱⇙ ⦈"
from validV1 have 𝒱⇩1'IsViewOnE⇩1: "isViewOn ?𝒱⇩1' E⇘ES1⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from validV2 have 𝒱⇩2'IsViewOnE⇩2: "isViewOn ?𝒱⇩2' E⇘ES2⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from VIsViewOnE have 𝒱'IsViewOnE: "isViewOn ?𝒱' E⇘(ES1∥ES2)⇙"
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from propSepViews N𝒱_inter_E1_is_N𝒱1
have "V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews N𝒱_inter_E2_is_N𝒱2
have "V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
have "N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}"
by auto
note properSeparation_𝒱⇩1𝒱⇩2=‹V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙› ‹V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙›
‹C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙› ‹C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙› ‹N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}›
have wbc1: "N⇘?𝒱⇩1'⇙ ∩ E⇘ES1⇙={} ∧ N⇘?𝒱⇩2'⇙ ∩ E⇘ES2⇙={}"
by auto
from ‹SD 𝒱1 Tr⇘ES1⇙› have "BSD ?𝒱⇩1' Tr⇘ES1⇙"
using validES1 validV1 BSPTaxonomyDifferentCorrections.SD_implies_BSD_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from ‹SD 𝒱2 Tr⇘ES2⇙› have "BSD ?𝒱⇩2' Tr⇘ES2⇙"
using validES2 validV2 BSPTaxonomyDifferentCorrections.SD_implies_BSD_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from ‹SI 𝒱1 Tr⇘ES1⇙› have "BSI ?𝒱⇩1' Tr⇘ES1⇙"
using validES1 validV1 BSPTaxonomyDifferentCorrections.SI_implies_BSI_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from ‹SI 𝒱2 Tr⇘ES2⇙› have "BSI ?𝒱⇩2' Tr⇘ES2⇙"
using validES2 validV2 BSPTaxonomyDifferentCorrections.SI_implies_BSI_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from validES1 validES2 composableES1ES2 𝒱'IsViewOnE 𝒱⇩1'IsViewOnE⇩1 𝒱⇩2'IsViewOnE⇩2
properSeparation_𝒱⇩1𝒱⇩2 wbc1
have "Compositionality ES1 ES2 ?𝒱' ?𝒱⇩1' ?𝒱⇩2'" unfolding Compositionality_def
by (simp add: properSeparationOfViews_def wellBehavedComposition_def)
with ‹BSD ?𝒱⇩1' Tr⇘ES1⇙› ‹BSD ?𝒱⇩2' Tr⇘ES2⇙› ‹BSI ?𝒱⇩1' Tr⇘ES1⇙› ‹BSI ?𝒱⇩2' Tr⇘ES2⇙›
have "BSI ?𝒱' Tr⇘(ES1∥ES2)⇙"
using Compositionality.compositionality_BSI by blast
from validES1 validES2 composeES_yields_ES validVC
have "BSPTaxonomyDifferentCorrections (ES1∥ES2) 𝒱"
unfolding BSPTaxonomyDifferentCorrections_def by auto
with ‹BSI ?𝒱' Tr⇘(ES1∥ES2)⇙› have "SI 𝒱 Tr⇘(ES1∥ES2)⇙"
using BSPTaxonomyDifferentCorrections.BSI_implies_SI_for_modified_view by auto
}
thus ?thesis by auto
qed
theorem compositionality_SIA:
"⟦SD 𝒱1 Tr⇘ES1⇙; SD 𝒱2 Tr⇘ES2⇙; SIA ρ1 𝒱1 Tr⇘ES1⇙; SIA ρ2 𝒱2 Tr⇘ES2⇙;
(ρ1 𝒱1) ⊆ (ρ 𝒱) ∩ E⇘ES1⇙; (ρ2 𝒱2) ⊆ (ρ 𝒱) ∩ E⇘ES2⇙ ⟧
⟹ SIA ρ 𝒱 (Tr⇘(ES1 ∥ ES2)⇙)"
proof -
assume "SD 𝒱1 Tr⇘ES1⇙"
and "SD 𝒱2 Tr⇘ES2⇙"
and "SIA ρ1 𝒱1 Tr⇘ES1⇙"
and "SIA ρ2 𝒱2 Tr⇘ES2⇙"
and "(ρ1 𝒱1) ⊆ (ρ 𝒱) ∩ E⇘ES1⇙"
and "(ρ2 𝒱2) ⊆ (ρ 𝒱) ∩ E⇘ES2⇙"
{
let ?𝒱⇩1' ="⦇V = V⇘𝒱1⇙ ∪ N⇘𝒱1⇙, N = {}, C = C⇘𝒱1⇙⦈"
let ?𝒱⇩2'="⦇V = V⇘𝒱2⇙ ∪ N⇘𝒱2⇙, N = {}, C = C⇘𝒱2⇙ ⦈"
let ?𝒱' ="⦇V=V⇘𝒱⇙ ∪ N⇘𝒱⇙, N={}, C=C⇘𝒱⇙ ⦈"
let "?ρ1'::'a Rho" ="λ𝒱. if 𝒱=?𝒱⇩1' then ρ1 𝒱1 else {}"
let "?ρ2'::'a Rho" ="λ𝒱. if 𝒱=?𝒱⇩2' then ρ2 𝒱2 else {}"
let "?ρ'::'a Rho" ="λ𝒱'. if 𝒱'=?𝒱' then ρ 𝒱 else {}"
have "(?ρ1' ?𝒱⇩1') = (ρ1 𝒱1)" by simp
have "(?ρ2' ?𝒱⇩2') = (ρ2 𝒱2)" by simp
have "(?ρ' ?𝒱') = (ρ 𝒱)" by simp
from validV1 have 𝒱⇩1'IsViewOnE⇩1: "isViewOn ?𝒱⇩1' E⇘ES1⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from validV2 have 𝒱⇩2'IsViewOnE⇩2: "isViewOn ?𝒱⇩2' E⇘ES2⇙ "
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from VIsViewOnE have 𝒱'IsViewOnE: "isViewOn ?𝒱' E⇘(ES1∥ES2)⇙"
unfolding isViewOn_def V_valid_def VN_disjoint_def NC_disjoint_def VC_disjoint_def by auto
from propSepViews N𝒱_inter_E1_is_N𝒱1
have "V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews N𝒱_inter_E2_is_N𝒱2
have "V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙"
unfolding properSeparationOfViews_def by auto
from propSepViews
have "C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙"
unfolding properSeparationOfViews_def by auto
have "N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}"
by auto
note properSeparation_𝒱⇩1𝒱⇩2=‹V⇘?𝒱'⇙ ∩ E⇘ES1⇙ = V⇘?𝒱⇩1'⇙› ‹V⇘?𝒱'⇙ ∩ E⇘ES2⇙ = V⇘?𝒱⇩2'⇙›
‹C⇘?𝒱'⇙ ∩ E⇘ES1⇙ ⊆ C⇘?𝒱⇩1'⇙› ‹C⇘?𝒱'⇙ ∩ E⇘ES2⇙ ⊆ C⇘?𝒱⇩2'⇙› ‹N⇘?𝒱⇩1'⇙ ∩ N⇘?𝒱⇩2'⇙ ={}›
have wbc1: "N⇘?𝒱⇩1'⇙ ∩ E⇘ES1⇙={} ∧ N⇘?𝒱⇩2'⇙ ∩ E⇘ES2⇙={}"
by auto
from ‹SD 𝒱1 Tr⇘ES1⇙› have "BSD ?𝒱⇩1' Tr⇘ES1⇙"
using validES1 validV1 BSPTaxonomyDifferentCorrections.SD_implies_BSD_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from ‹SD 𝒱2 Tr⇘ES2⇙› have "BSD ?𝒱⇩2' Tr⇘ES2⇙"
using validES2 validV2 BSPTaxonomyDifferentCorrections.SD_implies_BSD_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by auto
from ‹SIA ρ1 𝒱1 Tr⇘ES1⇙› ‹(?ρ1' ?𝒱⇩1') = (ρ1 𝒱1)› have "BSIA ?ρ1' ?𝒱⇩1' Tr⇘ES1⇙"
using validES1 validV1 BSPTaxonomyDifferentCorrections.SIA_implies_BSIA_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by fastforce
from ‹SIA ρ2 𝒱2 Tr⇘ES2⇙› ‹(?ρ2' ?𝒱⇩2') = (ρ2 𝒱2)› have "BSIA ?ρ2' ?𝒱⇩2' Tr⇘ES2⇙"
using validES2 validV2 BSPTaxonomyDifferentCorrections.SIA_implies_BSIA_for_modified_view
unfolding BSPTaxonomyDifferentCorrections_def by fastforce
from validES1 validES2 composableES1ES2 𝒱'IsViewOnE 𝒱⇩1'IsViewOnE⇩1 𝒱⇩2'IsViewOnE⇩2
properSeparation_𝒱⇩1𝒱⇩2 wbc1
have "Compositionality ES1 ES2 ?𝒱' ?𝒱⇩1' ?𝒱⇩2'"
unfolding Compositionality_def
by (simp add: properSeparationOfViews_def wellBehavedComposition_def)
from ‹(ρ1 𝒱1) ⊆ (ρ 𝒱) ∩ E⇘ES1⇙› ‹(?ρ1' ?𝒱⇩1') = (ρ1 𝒱1)› ‹(?ρ' ?𝒱') = (ρ 𝒱)›
have "?ρ1' ?𝒱⇩1' ⊆ ?ρ' ?𝒱' ∩ E⇘ES1⇙"
by auto
from ‹(ρ2 𝒱2) ⊆ (ρ 𝒱) ∩ E⇘ES2⇙› ‹(?ρ2' ?𝒱⇩2') = (ρ2 𝒱2)› ‹(?ρ' ?𝒱') = (ρ 𝒱)›
have "?ρ2' ?𝒱⇩2' ⊆ ?ρ' ?𝒱' ∩ E⇘ES2⇙"
by auto
from ‹Compositionality ES1 ES2 ?𝒱' ?𝒱⇩1' ?𝒱⇩2'› ‹BSD ?𝒱⇩1' Tr⇘ES1⇙› ‹BSD ?𝒱⇩2' Tr⇘ES2⇙›
‹BSIA ?ρ1' ?𝒱⇩1' Tr⇘ES1⇙› ‹BSIA ?ρ2' ?𝒱⇩2' Tr⇘ES2⇙›
‹?ρ1' ?𝒱⇩1' ⊆ ?ρ' ?𝒱' ∩ E⇘ES1⇙› ‹?ρ2' ?𝒱⇩2' ⊆ ?ρ' ?𝒱' ∩ E⇘ES2⇙›
have "BSIA ?ρ' ?𝒱' Tr⇘(ES1∥ES2)⇙"
using Compositionality.compositionality_BSIA by fastforce
from validES1 validES2 composeES_yields_ES validVC
have "BSPTaxonomyDifferentCorrections (ES1∥ES2) 𝒱"
unfolding BSPTaxonomyDifferentCorrections_def by auto
with ‹BSIA ?ρ' ?𝒱' Tr⇘(ES1∥ES2)⇙› ‹(?ρ' ?𝒱') = (ρ 𝒱)› have "SIA ρ 𝒱 Tr⇘(ES1∥ES2)⇙"
using BSPTaxonomyDifferentCorrections.BSIA_implies_SIA_for_modified_view by fastforce
}
thus ?thesis
by auto
qed
end
end